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A ;-v t-- pi\jt;?c.t!fs§ -scftw-sye from .ropyr y whsj'-j!:! iK.nvvart^ to be projected pis;;:^! o^: xhe 
ccmpufef systsfn two pars;, A f;fS5 pa;l {\2m h stcf«d in mr\'Vo'sti>& slorage, sucr- as s hatd diss or fioppy 
disk Within th« compytsr systsm HOO), and a sseond pstt is stored and exeeused io s 'fsafdwafs k*v iia^}", 
vyhsch is 3ttach§d to the computer system flOOK The swd pafi is stored in voMHb SAM (SOS) and wi! be 
grss«d whsn electrisal power is f«fT-ov«d from th& hardware Isey a2SK wh»n the software slops execution, 
This requires that rhe second p?srt of s^;^g softwers be reiosdsd each Hme the haniware key {t22S is powered sjp, 
ryoicsijy, !h« second part of ths sofSwars vv.U fc-s !o<i<Jed ^rom » network (mi or^rom e csljl^ ft»twoH?, thys 
r^Soijding of the second pert imo th« ha? dwsrs 5122) Is a trivial msttsr, so Jong ss th© ys«r is ars active 
subscrib&f to the network n^G; or «jbi«> r;etwofk. 
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Find any links, references or other items thai Refer to 
Destination Sites on the in^tmt 



Transform these? References so that they Request 
the item through the CyberArmour Secure Link 



Return to 




liifiia 



METHODS ANB AFFARATDS 

|)S4B1J-; %^irH OH APPLICABLE TO 
THE USE OF im INTEEMET 



[ (IfOT) Is 1 

widely used 00 the World Wide isuscdbya web bm^r as a cte 

pt^gmm to niake requests <ifW^ sm^ers through the Internet, A web browser user 
eaB request or open a page V t^8^ m a Ifnlto Resource Locator (URL) or 
fey djckii^ on a i^p&^ link, Tlie browser Sism seiids tise HTTP leqife^ to the 
Mmet Fmtocoi (IP) address ssdieated fe^ the or » aid ih« reqs^fcsd page is 
s^temsd, T!3^ mt tm^ oti^er teixi Appiia^tbx^ Protocols «ucfe as those used t>r 
o~ma! (SMTP, FOP) md file- tmisfev (FTP) as \=v«S as pmptkxmy ^pEcatioH 
^>rot0cob which are ts^d by ] 
HTTP srjd 0tte lBta^ 



W^n usm aiBc«ss the Mmm issiag HUT or a»y 

access the Internet throi^gh au fo^rai provider of sc^:! 
Ok% en^ployer, m isiterxsei Cafe^ JImjst oto 
other pRivider. The user's laten 



- TMh provider is^' be 
r (IS?) or some 



2 



t server ideiUlied fey tlie URL as^ wocEated IP 



llmrs immu providers oftm 



asd cooldtes kept loca% oii the Bsesr^s 
tMs hmm ^ s fer«8dhi of thek privacy. 



coj3tt«sS$ of any of tlie us^'s wirmal 
my e-maik pidte<l-«p or sem fey the 
ssd w foism tte Oie user iiils m 



calkd 'SJ»sg* is wiskty- avaM^lg. The ahil%- for Inlemel 



providers sxtd other awjhines to rms 
: adds ro tears of C^te-CiKm 



aisd bjwbes m security' asd prtwy oi5 the 



hoki m ihmx some Monrnte aboM the requestor. Ilxis b oto below the 
AppBeatson FrotcKol La^ aud k llie case ofHTfP BroiJ^ser trsmadioiB is at 
the socket or ttm^rt layer. EKara^sles of tiM iafonmtion isickide the iBtemet 
Address of the regues^or/ imr so tlsat the Web Server can rs^l^im mfonmtloo to 
fhem, mfimmtioft about the Jjsef s opemtmg system or browser £>p£' as well as jnore 



J 
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Prefebly is tte of tise mvsate 

1 ) A client establishes a secure cotmectior. \vitt.h an intsjrmedkry sflsr; 

2) The cUmt ixses the secure coimectioa to a retpe.st for a desd?iatbn site 

cdMainisg oMy sekcted iuS)nMtios3 as to the direct idojtity of the clie^^; 
4) The mtenneaary sends the imemet request to the destination siie; 
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from 0 to 65535 with i 



to coBStict to sm'csr prograxsis. Post «iu«r>«irs 
numbers 0 to 1023 med tor stjm« s*irvic«s, fur 
the deM M IfTTP m4 mmhsr 443 i>t HTTFS 
TOt haw to l>e used as^ pnsfemMy »i the aiethod of 
pon sumbers, ie. above are tised wtei 
the irstertnedmy sjle, Hbls aifovvs clients to «se 




0 to i023 tassge an<J are etTatth'«l>' bjpassed by 



aambcrs abow 1023 is tho^te pro- 



ABOtlier mp^t of tlse mveatioa provides a metlKjd for |>reventkg "IMil of Senior 



a dcstmatiojj site biit does not waM for lite r^spojjses. By doing this, the dest«mdon 
she. Is slowed dowB because k Is a>mm»8% ssssdkjg a Is 
large) MterBet tenses t« tib imSclom €Seat ^ ha 
clleat*s reqisesls. By keejj% tsack of \fdiether dksts mil to r 

thek reqijesls or not ths? \mera5«jdiary s^^rva cm a.ldress; thess,; ^'Demsi of Sen'ice 
refei^bly the imtm mn^m^ boldisig baek the passing on of clknt 
s to the deMfeatksn site by some period of time-, tbe iengih o^'>^'hkh k related 
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site. The. mttrndmy sit^ ac£s m a (and prefebly 
for tk? cEmt or m&f site a»d as a cjto or tiser 
Itik is to the exU^nt tliat all foggmg entries on & dc: 
istemiedEarf sjt« as the client or «ser ami 



she for tk^ destmatioa sfe, 



The mtknls described bereiB can i?i^nro%'e eflgcknc;y ^kI of IntOTt 

tsaasaeiions. m c4»j be fey tlie «.se. of cost^ression mi otte imtl^ods. CompressiotJ 



as tliis is issMlfy selatlvefy siow. Thiis the mtrodiictioB i>f m mien.) 
ti^t congresses traasactiom as Ifey |^ to and torn tbe c UeM is s 
of tke kivmtk>B. lliis cas be ^Mevsd by «sk 



tssvmg BOTs to allow a cHent to estab&li a s«cwe connection mlh the server. Tns 
server may con^srise sBeam to pexfemj aay of the steps of my of the methods 
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fsqxiest m tbe esse wto ^ destiMtion; is a mwM Web Server, Tfee tjomaal 
iMsroet request smc« it fe seat by mtetmediaiy she, coxitais^ Mormmon 
concemsng &e kkntiiy of iht mimtMmy site arid m infonrntbn <>r os#- fenited 
kferfmtbB c<?nce.rrm^ the ideB% of ^ teal Meti^ ellmt lite ktmsssdwy §ire 




sxleed nmy not be teqmfed sosae ki&tasc«s asd for ssoiiss applkmi ptolocols. 



it: 



Inleniet ?^ites oiid tras:^fomis thc^ Ifmt a^y requests fts^de for ihcs<: &>ks 



rt cS^st. m nocks' M\m mqxmm tko«gh the 



% hj^pertest link wsJfeia a viewed web page to access a ^par.ue web p-^ge. The web 
5ag« is accessed thmiigfe the mtemjedkry site (tilbwxag tise steps of the method 
I) iate than tet^' because the &ik has been 



to tbe Internet via the idtrnneaaty s&e being bt^ken smd normal web acces 
mmmtm wMcIt mm be logged or s»DMtor«d 1^ Intemel servers or ibe asor's fSP. 



for illustration pji^x^ses. A mpoim x^mn^d by rhe d&^iimaart site to the 
intermediary site, :mmsSttgMnaiJLi» d^te a link k> ar.a^i>er web %[te, 
mm^im- 'the corresponding HTML eode segsneM containing the i^sponse is: 



m Une of HIML code is tocated and tramfarmed ttr 

t>et)re tjk^ respome Is returned the client . word ^12acrypte<l:'* amithe **:2030" 
port xjwiber are srji|>!m>entatioft depesideflr ai^.d could be oiaitted or changed. The 
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For 



to pass the data through the 
to Oil a -'stresa^i" basis. 'O^e 



Also- multi-stage vanatlom could be used where requests ^md responses 
as whole or partial gles ratfer than streaivi*. with tac^ks perfomied on a 
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A method atfordiRg privacy or anonymity on an lmerBet4>'pe or « 



a) estabrishing a secure connection between a client md 

b) otyKviag Of providing one or mote services through or on the intermediary site t 



i as claimed in claim I, whereia the sejvices irjckde using tfee inteim^ary s 
Runicatfons between the client and destination sites so as to preveM otie or 

of the following ; 

a) any loa^m of detaite of tfee true desdnatiou sites ti^ client has visited by 
curable of monitoring diem tratmctlons by m« of t 




A nieth(>d as claimed iti claim I or claim 2, whereiD the services include one or more of the 

Mlomng: 

a| ac<«ssmg of designation Imcn5et sites by tbe client through the seouie cnnn^rcuon with the 
intermedin site and actively prevesling any loggiBg by Iniexn&i senders, providers, 
routers or other machines associated therewith that the desdtiation sites have been visited 
by the cisesrt; 

b) j^ending or receivhig e-mails whik any logging of either the destination, source or 
c<>«ient? of the e-mail is activeis pfe\'en? 

c) m.>rt?tg tiles securely o« the i«terme4mr>> sjre; 



d) tran$fenii3§ messages between multtpie ciieMs oonaect«d through the imennedkr>' as m a 
secure tdepho«e, conferendng, few^et "Clmt", ''Message Board" i><!;rvjoe or similar, 

4- A sui^thod m cmm^d in any one of claims 1 t& 3 md lUrther comprising. 

a) accessirff.'. of destination iMenser or Interae^-type service .sites by the client throudi the 
secure c^innection wiih tiie intermcdkin' :si5e: and 

b) acdvely preventing arsy logging by Internet a&rvus, providers or oiher r«achn?cs 
associated therewith thaJ the desdaat?os sites have visited by the clieiit. 

5. A method as claimed in atsy of the previous claims md fiirtha coinprisij^: 

a) estsbiishiKg the secure connectioa between the ciiesi and the iatermediary site; 

b) aUowisg the client to use the secure connection to ^nd a request to the jntermedia?y siie 
for fbrvwdiag to a destination site; 

u-attstbmiitJg the request into a standard request thst can be imernrcrcd h> the <.1csti?u«ion 
$it.e iis Q?igioaring the intermediary; 

d) seeding the transformed cJietit request tVom the isitermediary to the destination site or a 
proxy &r to site; 

e) receiving the requested response from the destetion site at the iatmseciiaiy; 

f) trassfonnisg the desJinatbn msposse into a response idemifted as being ^rom the 
intermediary site; and 

g) using the secure connection to return the response back to the onginai client, 

6, A method claijned u's ciaira f? aud tiinher oomp-ising ihe step of trsDsformin'Ss link? assd 
references in the response so that any futt^e request made by the client based on the response 
Iromthe destination she is made by the chem through tite intermediary site not directly to the 
destiaation sit«. 

7 A met-hod as cla5m<^d in any one of claims I to 6 and further comprising the ittterntediary site 
checking that a client connection remins open to the intermedin' throughout a 



commumcation transaction so thai de^fsnatbn responses caa be delivered to the client sind 
that the cUnt h not attmptmg a« sriaayjnous d^salai of service mack m the destination s^iie. 

S A method claimed in any QfcWxms \ to 5 m4 iurther compniing: 

a) sendiiig Of receiving e-n^,aii be the client ttogh the secure connection with the 
interniedian' site; and 

b) ;^ctivdy preventing any logging by Jiilcnx^t servers, pr^^viders. routers or other n^achins^s 
associated tfeerewrth of details of the client, e^jmil content, recipients mid s«Mer. 

9, A m^ho4 as claimed iB my one of claims 1 to 5 and tol^r comprismg setiding or retrieving 
a file by the client through the secisre connection with rbe Intermediary site and the 
intermedkn^ site securely storing or retneving the file. 

10. A method as claimed in claim % wherein the imer«)cdiar>' site ii^ielf slores the ile. 
my <m of daims Uo lO md actively hindering Inteniet transaction 



n.A 
mBm 

n \ n»c«fx 



: I to il 



t is SB 



k method as ciatmed in claim 12, wherein tlie enaypted connection i$ m SSL comiectiosi. 



slainied in any one of claims I to \3 used to allow cornsTsuniCfition with 
s where the dietit is restricted from directly accessing she demimkm site by a 



restnctive I 



port 11 



EitB 14 c 
i 1023. 



i6 A method m claimed in a«y one of claims Uo 15 and adapted to improve the effickjicy and 
ijpeed of communication transactions by either; 

a) adding cott^pre^jssott to the dienM«termedsaT>' coanectson 

b) uiilisieg a rapid >.\<iunKsnic-uicns dumnd berween ih«? diem s«d the imermediarv' so to 
reduce overall rouod-frip or a«Uy tsnies between the diem a.nd ultimate destination 

M A metlKxi ^libsjami&Uy as hejxnn described x^lth reference to Bgute^s 1 to 5 of the 
sccoMpatjykg; dmmngs, 

IS, Use of any of the methods of claims I to 17. 

\9. Apparatus corstlgured to perfomt any o«e of the methods of claims 1 to IS. 
20. Means to perfomi any of the methods of claims I to i§ 
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#1 

ii-snctions tnvoivmg cotnpDs^.^rr^ a^^ih :'-*:cat;Dr„ L=s.sr veiificisjon. ussr ausi^orszarion snfi scc&ss cofrSro!. pro'iK:li<3ti 

1 ■! e- Q(r. -C 3 n ! ( h { ia M i ri i 

and ti>s appafsiijs m Sfvi^xidying thssiis -lifiCiiniis sicross s tots: systyjrs or f?<5twork usifsg a cosnmon cryp- 



i If. order so 



EPS 421 



TRAMSACTfON SVSTgM S£Cyr?rr¥ gflETHOD AND APPARATUS 



This ii-ivsfisiofi {?j\&\s& to seciimy for nsl«?Oiriis iriduainy cofnp4«r tsrfnsf^ais pori&ttte psrsonai data 
s;8?yi9fs sych S3 !C cards, somsSI?'«es caned smart csfds of chsp csfds, hsving m ix-jjosrci cosTSpufef and 
stectronic msmory for stonrsg rfsta and pf<scgssi«8 cocnffisnos. 



OESCRiPTiON OF THE PRIOR ART 

Jb9 «ss- 0? ^densific^tion cmis hsVmQ cojTiptnirfg fXi¥v«r ar;d ;ri8r;:0ry b:.;!:; into C'lfl has t-^en 

w 3702,404 to Casiassd. A tisssdvsnUige fti kmvi-n ps-fcr sri iC cards tS^at use -^iecKicaiiy »f8s.<:bSe piogrsnv 
msbte read mly memcfy {EEFROM) is tsaj of ^ E£PROM \$ 4^tim6 by the number of 'mi\% cyciss 
{8,g , 10 000) bofcr^i & wHfe fs!lof<s occurs. Accofdingiy, fh^ ossstss^ HfS! c-f \0 oss-S vi$mg t^^e jtjsrnory 

u 5i < (ft ^ + " 

Whi S h < Wf ^ ^ 0 

data: protsctiors cootsined in she hsadsr eaeri daSs ■!!&, 

Wbite provfeinci signffioantsy bsttsf umr aiithonfy cj-^eis-sny snd UiSis ptovidsd by rnagrsetsc^ 

"■'v p5,» ^\'5!'iC5;*0! c.^' i? t'^". s>rta<<:" hH^-^oX'v. K t^. ^ i ^ < i < Sklent 

vHC )^.-t >i K!T ■! \ t, i T i -'5 1, 1- f f 

I <r ^ ! n L e Lti f -it i s ^ « 3 tec 

iC cards is nos wsii oefysxiixL Av. sUacK f:;-n be rnaoft Sv rnoftitor^ng she ;nJe;1iKe fMe passwords are: 
as Aiso> 5tf8 3S>cu!fl¥ systesrss in use v</i;!! ;C csrds of the or;o:- 3!-i are or a iixed aransisc-uns ;sni5 not sssily 

oi-r/*t C tfi!"*^ i i ( ,\ ! I J (.J > " . Sd 

Ox binary, yss,'f!D rssponsss srs pfcvidod Dy tJ!^ ca-d wnisi-s fnsy is:<!x:-s& card to attack by onscrupuious 



SUMMARY OF THE iHVEJMTiOH 

In accordsrsce vjstii itis invi^-^iion, a bighiy fiexibi? and seCij--'J idisnfi^icstson SC card asid a dsstriDuSsd 

«i .<-t,i, f .\st n " jU-^ii X a !i}%<^vjtx>w 

} tf M n i \> i 1 r <; i V L s ^ > 

spp^iCsttGn ovs^Dsr, sissng comrvisnd configuration date. Access to a cortinisnd :s coolroiis!? by 'ha cenlsnt of 
^ f i f > ! 1 r li <■ { < N 

^vMm t. t( f ! ^ Nft n X*-* ixj v) 0 V. 

'he oc>'"cad»o -> x . - ^ -■•!! , > c aon t i'h s. a."^^ ?rh'e in '^e oli-isr 
dovice. 

The device comtnsnd con?)Gi;rat";;n c;;5.ta is not dcvjnioaaoa. l"ns dciwnioadsss ussr authonaatson prefiie 

'X! ^ t 0 i'^^ ■'^ "> 0)<!<. M <■ ! ^ 

ths aulhoriastson fcqui-ob c\- ;ha' ■i<.oc..^-:! a :"Xi'.Js*s\?:d cors^piiarid hi that device. The sasne or 

<f sj^vOt ' V f i i'' - oni 
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km %h0 sfectficsiiy altsrsbie progrsmrnaisSs rssd cn;y msmofy (cEPf^OM), asw comj-nands om addsd to 
ths corfsmand set,, or sxtstiog <:xtmwaniii. car, Ds cepiscsd with updated varsiOiis. Cositroi can also bs 
5 passed to ;:;5d^x; ;i^:c:rocx;-'5 sivv BEPROsVI ai spsoffic cnticaS poiolt^ in tf;-3 C c^kI ;;-jp:5fV!iG!- rp"::;<:.'C>:'d«:, 
including :;-i;;i5ii!;-.aii,',;n, co:J')!n;.ini<:.;;!i<.BS, atid ayihoJi^^ticsr. oheckfE-sg, 

deiiniiior: at d&ia sjorase fciocks in rsowDteSife JYit^n^oty a^itf Six; is-sd/wri^j accs'^.s. \o ir.G%ii «3t£ 
blocks ar^ cofitfotifed by eettjrity ar;d conttoi if^iofrn&tion mctuain--^ scceys p^s^aqi-tiSt-. y;o;od in tf-:J 
ho&der of ssch data block in coojyncfe wH? tn« c«tt<snt ussare ayiji'snirailon .cvojiii;;. 

any mt9 failure oc-curs. For appticsbis timc^ws, data Ss written into mmnory in siJch a way as to 
cptimisg \h& tots! m of th« iC card by sprsadifsg wdte cyctes across many dsffsrsri! sbfagft tocations. 



?5 DESOBfPTiDN <-:?r- ri SE- ORAvViMGS 

^ a vtessf (4 ths sscurity cofrsoonent dsvicss systi^rr; or 'he srtvsnfeon; 

iFig. 3 is a felock diagram of th«; circuits; or irie iC osfc; ^ead :;8 

ss hi) 1 ^ r - % ar; ^ " 'Ui ^ 

Fig 5 a c--xk <. 3<..-.'im ■>! ^v;-i 'AS't -sn-i o ^ - . >' a- i>;st3i;cin; 

hi. k <^ ir i> >fO (Ssc^* 

Fi??. ? is a i^ioh i<5vsi iicw disgi-am of auti^iDrigaison checking to ssecute g command;: 

F ^- .V i< !-'<"tr s comiTsSi^d co>"%ufstiorsd3ts tables; 

as h ^ s ? 'V u i .-c ^ >A ii. . ^thoflzs^Ofi cnecHiri^ of Fig. 7: 

^1 s s , 0, Ks ' ^^ci-y of ths !C card, sccordsng *o ifivsntfcjo; 

< ^ s ; <.;< isv-^s-i 0' sssurRy devices sft the nstwork of the invention; 

Fi^. 13 shows iiow *n::.:ypikift kov'S distfifcii*ted; 
m Pig. 14 s?5Gws::Md dtilih0 wsfk Mate k^m m&^wlsim^ 
Bg, IS stows an onte work etstieri loses method. 

.-55 !C \! "s, > ^^, , ft ft S *■ t ft^-P* h 

JV, ^r.^ Hi U Ik! ^ 'K a o.^ > ^ ; >\t ^.'hv^ . 1^ p6 < .s,'ft,>i<.i'* ^ ^ 

Jslecommuniestfen itoss ojher hosit conipisiefs windi &t» not shown. Host computer 1 i pesfo/ms sii the 
yguai date ps-ocsssirsg sasks for vvhicii; is iS pfogrs-n-iiiisd af;d, i« a^idaiDri. fixocut«s tns no-work sscurity 
processor §uppoft pfogrtsm svhki) is ti-iB irissriacs fcety>.'es.-ft ihe nebvori; socuritv' procccsof 13 aod ths hosf 

computer arcitttsctL-s, Processor 13 msy havu s dfeptey 15, ss wssi g$ afl IC. C8n:i rssd vvrsts usii t ?,. 

.!:5 Cort^rfi!jnicgtion 'b8ftsf8ef? host computer il atsd wotk stations is pi-cvided by either direct attach or 
throi-igt! a oofTiauiOiostioniS concentrator Concontr^ttor 21 ^c in turo conuscled io one or mors vvork 
^latoiii 23 >? i : e -^t- Of! t. v.^at o^. j^^^c \ 5-vO!-! ft^i-v.-tsc ■ \ i ' Cx*- s 

kftybosfd and dispSsy snd optionaiiy may havo a cfifxi read write una 1 7 for ■■sadir5g and y^riting infcrrnation 
^..n! 5 o if^n n:3f\ -^a V ■.if \ ^ oi K su!<' s> i f u!n<< - 

if aoruioraiion and c-r-j-ssure dyoan-ics wn.io s noidero^ card v;5 is sigois-iQ a siQnrstt>r8, Pffjcessor ;3 &id vvork 
5;!aiions5 may aiso i-iSvs- a ovvplograjjhio isifepler card 23 kstaSied into iheir compute}- i3«s. CsfCi 23 

r;as tnoroon a ;.iii-5idod niodijie St vvsvcM is secure from i^hysicsl and sisetricai stfempts masJ or modify 

ss remote device which cspsbie o; suppers!^-;;:; tfis sscurs $c5s;ori ijyiatJlishs^serit: pfotoco!- is order for two 
dsrvioss to osiaijSisi-; stiCiiiO J3i-t::or;, tney fj-sust es;:!} corisisj!- an iaor;jiC«! 'my. the encryptino i'Oy. Tiiia 
i-cv^i-.-'-fjies^t ^ju.^f,^»!Ot>s J'v-s! u"a'jtocv'>::eri <iev-v*35 ."tofiof -^tuWfsf. -eooso ^X'3^!(..n$ e\n otn -r, A 
rssuit of tr:e secure session pro<:es£ is tho estsblishsTsenf of a randorfiiy derivod crypiogrepfK: sessiort key 
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'cnovfTt to both dsyicss. Neither ths session key mf sny oJher SiX"f« deui divt.!ig-5d c-f-: ihs; ir;^^daci^ 

Miwssfi the dsvtcss dursng fc'is sc^sstes) sstafeiishfjxsnt pt<;icet=-3. 

Moitlpte coftBg'jt'atos of system sscyilty compoosot d^vioss at Shs i;-!teijlg&r.t vvorkstfilk-iO (SWS) sre 

comid^rsd m tHs system of fhe snvantSw. 
5 TM IVVS rfisy ^t^ifss ooly the cfyptographic adapter csrd 59, infe which user sythodsaiion profits are 

iJavsfnfogdsd ifom iho host computer and >(i which higSi-§pe&<J orypsogrsphic i\sre;t(Ors§ siich as application 

program sncryption aj-s psfffcEvneid, Uset icssniirscstSoo \r- syph ar; iWS i,vo!jicJ Pe acajmpushsd vis passwos-d 

sntry M ths iWS ksyijoard. 

Ats IWS, utilized psimafsiy ir) sn off^llrss enyironm«ot, (i-^ay hsva oniy tfis !C card rsad'V^fi&s unit and the 
10 \C cai-d ir th<i conSg jretosi, ueor idC"^t1fC«*0'? S}%ct«jf< oy euis^-^g a ^^ cn -he r«*3dwi s '< 

ysfl5»c3tior. {8!<Sfig pisce v^thii^ if?e user's iC osfd. The yesr's authOfis^Jion proi5Ki may bs yssKs i^j conirol 

luK^tfons perfcrmsc! in th$ fC csrd ^>r may be dossfoioaded ir^to She iC csfd j^s^d/'wdts unit to contmi its 

A is'sird coriiigurailen, cotr>pFiSin§ the cryptogfsphic adsptsr SB, tte iO card rpsdiwrne »mt and the !C 
csrd, providss afi of the ioEtoiions of the ffrst two configyrstions, Add(tiof?sHy, it aiiows 5h8 
autiion-EatSen profile to bo downlcjadsd from tiis iC card to the Gryptogfgpi^fc adapter. A foufth iWS 
ooniiguratjon sdd^ to ths third confsgorate the sigfoab-r^s v-gfiffcetion por* 37, aUached to ths feadAfstite unit, 
thereby pmyi^tng user verlttp&tj^^ SShef via PIK* :or si^atur® dysismies. 

Fig. 2 is s mors dstailad biock diagreirs of ths sisetfiesl circy^s of iC sard IS. in Rg, 2. She cantra! 
2i? processing unit 41 commiirticates vis physics! eontspt mih card reader t? ^rcugh inpsjt^osjtptjj cireuiis 
C<»u«eted lo-a» computer bus ijsslds the OPiJ 41 is random sccsss memofy 45, r$^/o% memory 4? 
and eieotdesiiy arasabls:. prcgmmmabie resd/oniy memory 4S, 

A mjmirter oi wspuoste fe iC card require a boolean rsspe«se, \n ^loh trse response esn iisva only 
on^ of l»vo values. Fof sho p-jrpeses oi li^is description, the two vaiuos ar© reared to as TRUE and FALS£- 
S5 A secure rns-tiKtd is u.'ssd by tJsj programs irt the iO card oi Rg, S io cemmynicste this response. 

The method b&s i-m very dessrsbte afifibt^tss: First, the respor^se is kspt sosret. tjven if fes responds 
dsta is road trom the IC card interface, the {)<3ot®$n vaiuo of iho ;rs8sssg« cannot be determined, SecoedSy, 
if the mses^o is tampered wtf^, as by m sdvorsary who intercepts tbe message and inserts nis own 
repiac$.menL ti-i«: acf will be dstscted, 
30 Ths response is sscored through th© feiiowing cryptographic opsratioti: 

1. 'Uvi requestof gonorates sn eight byte random mtmbsr. sncrypls if under ^hs session ifey, and sends 
it to ithe le eafd .es past of: th& rsquest messags, 

a, Ti^o iC card decrypte the rattdom rsumber. if f^e response vsiye is mm, iiio random oumber is 
incrsmonted isy ono. If tbs response v&fee is FALS£, tii-s random msmber !S irsstesd increments^! by two. 
sn 3, Ti-se smart osfd fs-ensrypts &ie incrasnersted nomber undsr tb& ssesion key and s*nds ii in ;fi;-> data 
fieid oi tfse resporae msssags, 

4. The reomstor decrypts ff^o d^a, and compares st v?ith tbo randam ns-imbsr hs originally sen;. If the 
numfjsr is OJ-iS grostor ihsn his odginsi random number, the response is TRUE, if tf^e nutnber is two 
gr.5«--*t. ;n•^ s^jsiXinse is FALSE if iho norr^bsr has Sifty ottw vaiuo. ii^e response fs^s been tairsper^d 

Ti:us, v>,'s have ;5cc;>rsipii$had tie two goals statod above. The f8,^pc>nse iS secret ■:.mmol b<s 
ciftt8rini!?;.d by tapping ti--o comrRtjnicatlons interface, and any a•^=if^•ipt io aiusr -ix: ff.!;pun<,o m\ be 
detecfexi. 

T;:e f;sn.:;:;rr< rs.irtjbt?!- g-stj-jegtor prcg-wniJ-f od ihe tC caro u,";'-?? an 8-byfe counter to Create dtiiereof 
" Hi ^ x.,-- ^ 'H ') ^r. - " i ' \ -'< ! i ^ 5 ^ e random number; ft is S'-^-ip V 
o-^i; ^, ? f \ r*"^ 5 u'^v 5 < Jv-^a t ,.-0 tc .ippc. . .^f t-tr(e 

cotiaii;-- .i: in ^ho fectiro snvifonrnent of t.ne BSPROiVI on ti-sss iC o^rd, ^tjerd ife ^&hiS cifmoi i>'; 
.■s:,?:; bv 'shui>, ti t,^ oot i-'ftporiarst that tho counter actsjaiiy cotsn', iip-..a*ci if; ui.- '>:inv<:-n?;k""-i.si is-xo 

Wr;«l ;k";3i(v i!np>;fani is: Enat it ohsng^ each tin-)S s new randont niimisS; ;f u-if^srufe :;. anci :> ;:M.p 
« ! c <u, is 'V r ~res w-^ v««^ -^-xtv t'ott-' xj^m < f< t v' '^^^ ' , 

bist other very isa^Q:© nyrnfoers of sisfes are aiso acceptable und^jr most circymstancss. 

i C *t 'l^ "'^W^*3 ^'iiU'^ <S <: ^ ! 

i X . .JX S i^-' sr^t- p n J ,i} ^r*>HO\f ' ^vv8vu - i ■) v'' - 

time it Is y>=r!tieri, an<i wiii everilisally iasi, for e^enipio, ^i^er beisig r&vv;;;;.;^ Kj.OOO ;irns;r. 
*.5 if w«; (fnpiemen> a simple courster. tba iow orde-f bit changes, ei-;;! i.nu, rc-jisi :.;e;i^xo-:t--:d, Ti-ij*, 
we yvould oniy tjs gsjsiraniiseii 10,000 couriis before the device tailed. Tbis cie&dy does rsct mesi iixj n&ei^j; 
of th« rendoo''t number generator. 

The improvod method of ti>!s irivsrfticio gss/es rnore possibie vaioes oi the ccsjnter before the EEFF^Oy 
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d;f;-jr:5ni. b!..'! ii \v;il QijrtiSfStft t-nsriy dHfsrenS v&lu&s, in a way ^^tst oas-snot d.5te.!!r.:n-;d in'xn outside.- -h;:; 
wsrd counter, 

means frying -o updats each c<iii of th® EEPROfi.4 equaissr offen, so ail csiis wli! sq0 at ars $qy«i rats. This is 
diffsfun; from th» sitnpls cOMftter. in which iow Os'd^r bits sf€ always iapiSstfttJ ?riOre jreqiJsntSy Ihsn Hq^bt 

Jti& niethod uses ttie random nurasisr itsslf fe mde?; to one of ihs 64 biis in the cousfer, ther^ loggias 
;co:-;!!;-k!!r,--5fi5*.) -hat r-.'n. The bskJ tfis counter urn riuctittjfsc! 0-63, 'A'Umi o^i 0 iC'W ^^r^^^f b;t ar;-:! 6;-; 
is ir:^ nifih o; bh. iow order 6 bits 0? tiis; randofr* nyitsbsr sr^i »-is«!ipr..=!fe<i f-.^ ;s ^'Siue c-^^v-ve-.^!; 0 yixi 
b'^ > i h .t->p'-is 5»f5 V ) i:*,^^^!^^!^ vi.ft)e*i -.i"n ^ <: 'fi ' \ 

■".iinUsr g!;;i?.5!.Kor prc-ducss: a s-iBBorfn dfs-u'dxiuof} os vsjiues, Ih8 84 fci-Js of a-e ;x;iJn^:^!■ irs eacfi s:e!S:CU-d srs 
eqoai -iiiOsbef oi «nd fions ^ts -wifUen rriors oto thsn an:y ^jtsess. Con^jJd^? ifse ^oilowsog s^i.-^^psi^^^d 
76 : esssrttpfe. slKswisg g 1 c:oun?sr sncf IM: Swsr 4 bits of |h© ranciom : suimbsf ; 



Counter 



Random Number bits 



ooooooooaoaooooo (O) iioo (bit 12) 

OOOiOQOOOQOOOSOO (4096) 0101 (bit 5) 

0001000000X00000 (4128) 1011 CMt 11) 

0001100000100000 (6176) 0000 (Mt 0) 

OOSilOOOOOlOQOQi (6177) 0111 {bit 7) 
0001100010100001 (6305) 



: ranc^om number vaiosa are iivly rsnc; ; 
iiikgiy thiSE this v?!?? hsppen sri reality, bu^ tf 



ssuii: ir 



t ; " 1 i> -) ^;bA t r 
Tiicrcpfncsssor Si, conr;'?ck«5 to s bi:S S3 tor c:oj7;!Tii.!rsie;rcSiort vy;iS~! otiwf oiei's-sersis of ihs 

vt5r {()\^:;skm dtjtecto afcyitry 5$ lr\ oed^r to protect tho soot^n thsfSGi, irisn^siiio 
s o.ovv ■ oy way isxample, in Eyeoj^ao p&imi 8ppSc«^)C}r> 80 M 4 545.S of com-fjon 



in sddfsjon xo merrsQry. ! 
dsvic&s and ths oasr^ 



;i wish tise standard RS-232 por 
!'Y coif in^orweaiion taebve&n csrc 

me cara rsisdsr 1? ssjppcrts s 
■Xiidoi ci IC card 18 ^vijo w^sh-^s 



n'is f(3r rsG^yivlrsg change of ofsssijra aciisiefstfon Sigoais rss5rs«8i~:tiog the sigosSLifO oi tiis psisoo 
iO:;ip ;ho cnrA. This circuiiiry and siippoftifig progtsfiis iifs ttefisisd ii> rtJiSfsJ dotal! ii's U.S. Pslonts 
?8S.r;i=3. 4,i:;B.8.?.8; -1:?S4,542; -i;?36,445; and 4,?^,S3-1 of commors a&signes with this 

Tho IC osfd IB iissif is rsad by circuits 07 which Include pfsysical olecfricai com'tsts for conrsocting 
5 circ-jitfv 0^ f-'^g. 2 fo tfjft fxfs; 53 so ihai <:;ornp»t8r micicjpfocftssor 51 csn aot ist corsiynoJcso wsfh 
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compulist 4{ \n thfs casti isfsdsr s^csiHty prograns to ji«ns.fer informgdoo ixuvvijsn s?« csrd reader and {tis 

shoiNn, them Mows g i^tle? descripte d«ch bioc^c. The s^eart o^" r-\ijJo<., ^piH,- 5\s»hi 2$ \ho 
f crypiXiSfsphSc rtwfefe 31 which provides a ^gf^p8rpa^of ^tnvironmsi^t fjsr ths ijfiorypiiof! pw^ssor and 
stege whSch contains the cr/ptogrsphio ksys. The crypfo^raprjic adapter is controHsd by mlcrc-proc^ssor 
n, using sscui-e msmoffes in tie form of random access memory 73 snrf reaciJOiily n^emosy T5 Thg 
cfyptosrsptsie ksys m stofsd in rsndcm access frsemory 73 which is kept sctive by bgtejfy backup circuit 
77 snd battery 7§> In ord^r to eiw&ft ssn attsd< on ths secure modufe, battery bscifijp circujt 7? operates 
coriUol of tampsr proton arsd dstecScsi <Sj-c(Jit Bt wNd-* doi«cts any attsmps b access modui® 31 
by phy^icaiiy attack, Ths physfcal and el<sct4<;ai pfotectfors of rr^odiste 3 J ss sot out in gfe&ter detail 
E.urope«sn pstsnt appSication 90 114 54S,S, of cortsmon assignee <,vUh this appiicsSicr,, Micro processor 71 
lisos rsTidOiTi aca«ss tnsmery 83 \'«"iich is iocatsd outside of the saours rnodyso 31, addiiiofj k> iiS secure 
rfismory- To pravent sccass to ^hs coniseme pf sesure ro&mory ?3 an!3 75 while r?^icroprocs?sof ?1 or 
is ejicryplioft processor 85 is fornstng a asc«ra procass, gats B? opm& tha comscgon of bos 89 to its outside 
exter^eiot) gi so that »iy infofrfvation en bus 88 cerioot bo read 1«sm ouleipe o; ffiodyio 3i at contacts 
corinsctjfig bus 9t, 

Turning sww to Rg, 5, a bi(3ck disgrgm of the hard«?sre e«d soltwaro feMyres of a v/orkstation 23 c*- 2$ 
sfK>v«5 A csjstcmsr sppiication program lit runs in ^ wofkSi&tiOrs ?3 oj 2S, utiSsing sacur-ty ufiiitias US 

gs ar^d Jntsrfacss ssith li)§ operating eyo®Tn program in the wcd<ststiony using s socunty appiicetseo progfOf^ 
interface, Ifie secufity utiHfiss provida for such funcfsoos ss ioilieii^og m iO card 19 or enroiiing thg 
ref^rsrsoa aigrsaturss of a ua^r into iSie mnipry or the card. Cfyptographic fundion requests fi-om a 
CLiSto-TT^sr appffcs^tort program ill are passed through workstation security sarvtce sypervisor syiiS royt^r 
■ j5 to Lhe eocurity ssr>?ar pro^fan^ si7. Security server progrm tt? provides the progroir. rnoduies and 

2S irfoir^arion srsO-'xiis-iC- ce ypJogfapf^ic key$ assdsd to psrforfn a specific furjction, ?tv^ avpfc>i)f35."''>>c 
adspfei- h3?dwsfs 2S torou^h a device imet program 119, Ex^pie program ro-rxlisies inciixfe ksy 
fi'sanag<sn-ienf tnoduis ;£1. message aothsntication ooda verlfisatbo 1?.3, rrsessage su^entics^ion code 
gsnsrstor 125, and encypiwA^ecyphsr lonctioftS 127, 123. 

The i<eys «s3d for gerssratlon of message authantication codes, anaypiing of oftser keys, and crdinar/ 

m encivption m6 decfyptlon \&$ks csn be stored in many pieces in tha secoro o^motk K^ys are stored on 
PC disk memory in ancryptsd form, aecryptad oftde the maetor i^ey of or-o of tha security davices, 
CfvptographiO S'iapie- 29. catd trader 17. or !C osrd IS. Kays are aiso stored in tna nerivo!&;ii.-> fOijon-ntsj 
0^ csyptographfc adapter 33, card reader 17, and !C car4 f§, 

in those configuratiOi-sa vshere a wori^statioe hae both a cryptographic adapter 2g and m IC cerd taeder 

ss 17. security f^ioofiorts fssating to ths !C card or card reader ara reqsjaetad isy costom&f epptelioe program 
111. pass down fiirotigii the vadous program interfaces through cryptographic adapter 2§ to card reader 1 7. 
if! ihos'S cortfigoraSons where g ftwi^statioft f^ae oniy a card reader and no cryptographic adapter, tf>& card 
reader ie conneotod to the perso^iai computer of iha svorS^sfation i>/ asynchroeoos QOfnmunicatiori intarfacs 
B1. shos'vn in Fig 3, wh^ch is rsp.'-esefued as a to-rinsisriicatson Sjne m Fig, S, 

•8> Fe-srrinQ i\iw to FiQ, 6. a iViOre d;?Usi!!5d oiocK dijigrasfi or the circuits and prograroj^ed functions, 
sesidiiip in n^-iv.ork .j;5curi;y p=GCoc5sor 13, are sf^ows'j. Hat-fKxk s&C!;d!y ptooesso;- 13 is: ijaj'sd upon a 
fcoa^ofiai comiju^oi archii'vCiure i-joi^wig a speoiai s--xorisy oporat^rii} systorf; ••v!-;ich pre-.'ents iiie oc-;r!p!.i;.5r 
frorn perl0fr.ni:ic; otd-nary oarzo^fA oo'fjputor functiorss, theraiiiy a!"h.-3!X:)no sovUiiiy rh.«: ri:5;;.jruv 0Ev;.f;=U;ng 
sysUitn ii? b3^5:c; upon &n iBfvi Personst Co-vtpt;isf- Disk C}pB!3r!fio Tsy'^iei^; ■ =ii 5-.^<:i ino'-s^iieci h-/ ?t rnuisi- 

# tasking p.\-t5rso; 143, Cn^i c\ tne oinnsf;;) uncisf n;i;it(-l«3i<;rj9 p-.-jrsfn i-IS ;r a ix-s* ^.^rvisr fnc-iSuis 
HS, SsEver rfiarmg^:^ tomiTUjnicatiOr^s iio-waeri rs-ie net-A'ork sj.cjjrih- psocii'is.cr 13 ?';d tii-'; i-ost 
corrsputci- 11 ih^o^A-ji-i ?. cKai^ne! l3Sk psic^firarf! 147 and a f5os:t ohas^fiOi adspto^ UB. 01 p-irtiOiiii: >jr.p^:r;.sfi.;o 
un V uxtv s. i f< t., .^O) 5 t -^s K t. ' -> ^ iht- 

X .! V ^ ^ 0 - f;/ t'^c i^ru-'ty i v,.-- m' »f Ik f > " s ^ ^ 

6iJ accompiiiSi-iad {>/ C!y!;-ioc:.r.r!phi(; sOssptor i-fiak progfatn 153 and crv;5to>;.:-r:ph!C -idsac-i-sf 0^\fC-i linvf-; 
progrsjT) 165 whscn pro-.^d j i:-ie isiiA-rfacs to ;i-!S cryptographic adapfer 29, ii\stilie<i <r. i>:-B pors-ontJ ccsTsputsr 
i \o \ <! " , h. V ca ,i -Tautit 1/ s'o p% " ^?i'-< , .livu-^d ;> , 

•v^'Swork i;-5!,:jr:ty pfooess.or 13. ;jre usad xo consrof access to iiie nowork soohri?;,- p!'.xos40!' 'oi' i;;ii!ii;C':yi::; 
fi^s ^:-:x:i;:iiv i;:.rGo>; s;30f, operator servicas. asid !?iaintenanco eic. Ani>ii>«(f iuootion se'Vivi !;.y ihs; csrd :&adi*:- 

S5 * t If tr '■i'^l "^fO ^ 5 ) udvf k }Ma'> ^, i^,^^ ■! ^ 

(iie fiiaster key entered m parte, is used to gonarate oilier keys for dtstribution eo other dijvices othe: 
swedes in sscora aet>voffc, 

Tha dirscwy server task 157 oootains lite pcirsters and program rootsnes to allow tiie seo^jriiy sosver to 
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jccess eriCivpiiO'ii K^-ys aiid ot>^sr v-sfosTCatioi^ n^ieded to pfjir^trn sis cryptOgrspiiic fLJiistions, ifit&ffacinQ with 
PC' DOS tW-i icciiiii ;riB?.;:od progtafj-ss; l5Ci Log ssrvsj? 16( also 5?. <3 tS5;k which proxndin hr the auditing 
?u!)C'i^,ntf -^a-^:; t?i^ ryi,:-?:;! At ths top of Rcj, 6 sfs sho*r! bioaks iS3 vfhich ps'ovidss histsiiatton 
s'«!v-::e« :>r:>;,";;:5-!f'^"!g ifjS vvhk;h pfovit3e<5 insSiaS prc-griJro losdSfjg s-'id 187 sthkii ptovides 

7 a higJ? I^vel view of fi-e pmssssing srsejhod which cisckses wteg-!«!r a ussf (S aushos-u;9<i 
exsciitSi e pafgcoisr comrtis-rsd, tsst !-ef»rsncas ons or fr^cre Esbtes, which &m shown altschsd b the 

corresponding processing step, 

Tha fsrsi step 171 chscks whelher the commgniS is a ufiivsrsaiiy siuinonssd command, yi-sivijfssily 
m authorised commsrsds listed in tsbfe 1?3 s fixed, prsdefffied set of comm&mB tirst are necessary far aii 
itssrs in aii sifoatioos. They af«! aiways aitowed. mgardiess of ths user's aijthority, i^one of liiose cost^n^snds 

T-ie sie^.t t'-vo steps 176 and r"/ srs ^cfeaiiy performed fogether b-jj sre 3l''.c.vvr; ssparat?:!;/ for ciarity. 
Tnmf! ':>Y/6i\'C: che::i<!rsg vvli?>Ji-;<;r o:.;rre'it user is sdsiS'iOrfSfi.'d to *!;<ec.u!«: siie ,o;V'ii:.;.;:;5r rsquesied 
?S command A yssf*s aviihorsty ^.J JiJ-r^i-t i. y ;i!C vO'^fenis a feia5«£S mm ijrosiie ":n the tsbte oi user jjroi iss 
579. T!\8 requtremsnts for e>ec:;;ior; c? tna ■s.eiected corr-.rnmd sre defivied in cco'^fr^and cijriiiguration dsJa 
ttJt^s tSI by thQ ex«:ci.!iitt:-i pr?:r4;qui;5iU;;5 'or i!;j:- oomfnand. Thsso U'o i;*s>fris 0? intorfr-isliof- rrcisrs tix- tables 
ars 8>«Sir!ine-d to cie- jr-riine if t-ie us-e-' ■% p-ir;r!itte<3 fo SKSCLste ti>e- corrimssrd, Tiie-se steps SiO set oi.;t in 

gg \f the user has ihe si;S;or;!y m iiyaoAs ihQ ssjiected coirinand, ihe^3 is one additions; steo 163 that stiil 
tntist bii p-.j:'iOfrr;;x;. A prcgtafi-srnihpiiS !ssb)«;- U-iS -x.-ntsinj; a list oi dates definsP as i-soiiPays, and aiost 
commands; canfsot ijs cxscuted or; a hoiiday- Ti;«s provides an additions! ijjvei et security, if tPs currani; cists 

- s V ^■^ . ^ !(i5=j .5 iv^aic^ oroi c->-^--iaf - sq^'a^ on 

i\i I h^, I'i no h^ u)-^' nf> i> i c<^!^ ■ir^-- > '< '■^'■%'^-ned by 



: 40 flags indicatirip me rrsocte tor the identification ot rhs user. 

Ti>e ftommanKi; ccnfigufaiion dais iSi is inaspandsnt ci the user Sijti^orisaiiCfi protiis. biii consists of a 

4§ first step 20 J. as in Fig, 7. is; to ctssck tne tafefe ITS oi urtivsrsafiy a»thotk»d Gonimsnos, if corrsmand is 
in this tabie ITS, fesriainirig stsps ars bypasssd and ths cosriiTisnd is automaticaiiy autiiorised. 

■U; i for :he s-iiocled con-nv^n-;; :s :-e;,r-c-.ed T'-«ie ere ;,:sed in performing most of ths i-emsinirig checks, if 
file- cornrtisrid ;3v.-;t;ia;:>!v fn:.;:;:;, rr 2!)7, to be siA in irso Cdfr-itiSPd configumims data 181, ths 

> <.i !<i ! Si ^ r u (- * * > 1 
1S1, thtJ s-jmrnsnd is ncn authorized uni&ss s secure session is deterrnine-si fa bio-ci-? 211 to be in efiect witJ-s 

I ; <^ I a-, AC Spt IC uas'^ o 

55 -to''h!., 5< a, ^ \. ,v V - - xi fea-'-*(}-xJ two "O'npcnr-nls th«t do not 

?!to..* r CN-^ nor V. \p oj'a!j"">c keys nsj^a 6o n^ t^'e c,<.x. 

if );iiock 213 (jetcrniiriBs ii-iai. the iiiitisi verisiosstion feqijifsd iia^j is set in o:irf}!ir;i33r!<J conffgijratiors data 
tSi, the eser rrsust i-iave versfied his identity at sorsje tisne dursr-g tije ctirrersf session, or si>8 cDfnniarsd wiii 



or4 bs aSiowsd. 7"!iis & fe^^ted at t5lrx:it ;>;5. Hs (nrsv have \?8t!!iert f"iis idenJily by os-s^srift) his F*!N, or L^y 
yslrsQ yjgtjstyrs v<5fificaiiof;, or sorsje on-.^^ ex'isfrst:! frsv^ans. Th« rs)8thods h>3 can use for yerification sre 
csomrciHM by the vsdfjcssiotv melhoci id8nilf!«;f in hss user prefJsa ^ 

if th§ pro-sx^ixuson yerifJsstfen sxiquited fiag Is ssM (foiock 217) the cofnmand oonfsgufSfe data ■«81, 

5 the yssr must re-vsrify Ms ideft% befw* sscf? lio-^e J-x; c.ot;^msnd ss s-isscutsd, 8!ock 21S tesf?- vvheiii"?! ^f-v 
am h3s fe-v«{Vf(ef:i tcis«% ij^ ordsr to uso this ecmwand, ?f INs fSag Ss sel srsd ^iae^ bav i^oi -t- 
vsrilied for sxecmiaft fee corrimans:!, ft wi fiM bs: albwsd, 

Bioik S2t dstormines if dissbfe time Hmits f^iag is sst to the command <;<3?-!%yfatSon asis V6i !! i- i$ 
ses, 8^8 Srtjs of day, dats, snd day of vsreek choci^ng st bSock 2S3 is bypassed fof ths command, if fh« fiag 

?o is not ssf. fee <yf day iimits, exEsiration date, and vslid days of fiaSds trs th^ usst piOi1!« iws 
cofnpared to tfie curfeot lij^ie, date, <it?d dsy of week to diStersTiirts if ih$ cofnmand is aiiowsd. if my of 
these ar& oot satisfied, iha cwsrrisnd rtot giiowsd and further ofsecks am bypessed. 

If tis cumat date is fcsjrtd fciock to be Hs{$<i &$ a b&ftcSay it^ prOij(^mmsi;ife fwiid&y tai>i$, ihs 
commsixi is not aifow-gd Tf^o us^jr's authority isv^i ff^ !>i$ u^r profife is compared at bkscks 237, 223 snd 

?s 231 to ths aufhodty levsl rsquirsd to suli-iarias the ssiscted coj-nrria^d, which is cor?fssnsd in ^8 r'squis'sd 
autfj&fity ievs! fi$!d of ths command ftorsliQymfeii data 181, if fi^o aufiiorSy mm m^ch fisg is s<5t In th» 
commard Gonfsguratiof? data, the i!ssf% authefity levsi must tjs sxaetiy equal to ths i^qyirsd safi^ority ^evai 
for ths* commmi to be. ailo'ivod. if iho ayliw^y sxast msfch fi«g is noJ ssf, fhs user's aothority i«vsi rfujstf 
fo$ greats?- thsfi or squsi to tie reqaired aafhority !s«oi fer fee oommaod to tj^ jsilewod. 

w Eaeh us^'s user profiig eonlsisis a set of comtriaod autoizstiof? flags dsfiriing which -sommsiids lhat 
«s«f ie exdoded fncsffi ssecyfirsQ;, If itte mqiiostod comrsaria is rsof a«thofk«d in :li>© user's corrimand 
autherigstiors ^ags^ exseatiosi is not allowed isy the iogic in block 233- 

Ssch user's user profile ccEitains o vedflcation feiRir$ isount whicb eoorits tfse nyrfii>er of co!>S8cuiiv«i 
veii^<^lfon faiiynss. sithef by PiN or by signature s'srifjcation, or arKsft^er external meane. Each .erofiie also 

25 contaiiis a programmable verification faiSure Smif, defsrsing Uts nufribsr of consecutive vefiticafisn fsiiiirss the 
usar is psrrnitsed bsfors he is ioek^ csst Af islock 23S, tti® usar's vsriScato failure eoum is checked to 
6se if it is greater tbao or squal to his: ygsdjicaficsf') fa>Kife "mil sj-sd i? so, tie c&ftirfiajid ie wx siiows^i- 

Rsferring to Fi^ tO> fhe method of command decoding irs the IC card is siiown. Tt^is rmfttod ^impioys 
tA'o C!>fr.mnd dscodis-sg fafeles: C08 24t ifi thB j^ieropfoceesef f^OfvH, wbicfi Ss fixed, and ^seothsr ia th^:- 

m eSsctricaliy erasable progrsmr?'shie read oniy rf^amory (EEPROiVt), \nHc^ is progfarnn-iaijie. Ths 1«bia S41 in 
ROM d«nr.es the dsfayii su&routioe sddmss lo i>e called for sach oi ti>e tmSlbk- i^mv^s. The laDis 243 
in £EPROM can be ioaded wilt! new addrsssos, whicsf! will override those 'm ^ HOM table. The iriethod 
aliens ons: to lead nm eorrsfnsode Into €EPS^0Mi or to iead repiaoemsnfe for commands in fhs f^GM. and 
to i.s3& thiSi ££PBOM table to cause these dowrfosded comfDsods ia be executed in pisce of the commands 

ss in the ROI'^l Whan§ver a command is to be ostscuted, tho address ss fsrst read from tabte 243 in g£PRGM. 
il l>s«^i< 245 in Rg, 10 d&terminag that t-e addfess ftom ths table ?Ad Is mi mo. it is liSiXi ae ii-;s ^sdcirsss 
of the subroutine to p.''ooess the r?':it=^ste- c^^frrmc* f t""-* access '5 n, ^-c^e?* !e;r "-^f^" '-e 
tabis 241 -.r- P.OM ma th<5 csd,;ir«s^ v<^;-,d tr.vn PSM i,s us§d for ii'te ■subroi.ilins to oros«>sa Ihe •:o!i-imsnd. 
Ti-iU.^, any i-iOM ■x'!rif^\n!)d s.i;!;-r->i:;ii!-ie o w £>5 repuvx-d i;ty i--\;sjr':;!-!Q ;5 ;x":-;v;;;^fO sddi^ess iab ti-ietsiile J-M3in 

rig, i ; shows ihe lormav sised or-i th* iC card to stof* data i^iocKS. Dsta biocks are a Qenera! pospoee 
f;-:y;;ris for d-5l:n;f>g and m8nag?rsQ user or systorn data srees in ffse sC oa"d non-vdistile rs^emory. Data is 
v-'fitiu^'! to tr>3 oiocKs and read fnsm the blocks. Thiers are many opfens and features to keep the dsta 
ssciifs faxa eascks. 

m 261 in Fig. 10 shows the overall iayout of data blocks in !h8 iC card egpROiVl memory. The Sow |;crtios 
of 1^10: merfsory is !sssn«jd for ioi«{«jatlc« that is: ostt j-®;s:S!d •» m dais felsxks. AS 'merfiory efeovs this fixed, 
pio-k'-'X c-..;-^ t. -'J- ;i!v c^jiinition of data blocks. Tjvy arc j^oc^icj cont'^.c^^^ ?<;fS!rv-,s of 

ii>s ;n«rO;;.>'y, I'ho ^!St d;i!,s i-^i-x-k -.selined o<;0!;pies mesTi.-^ry siartina immedsafeiy after -iit i!>-s(i -a^La. ih;;: 
;;,;.ro; block <;;-?!inf:d Irr^vo^o b^ solio'A's tho fast, sod so on. 

ii? 253 shows thir ;-rij:;is>e s s^-xs^s- data biock H&ch biooi< consists r-^ ^m;. pvr-' .:; r..*.sO.>!' and e diu:; 
< 5 h - ^ ^ ^. n< < V "wt V rei-fo<< S''''' i'. ' ' - < f ! (OS t^'O de.',a 

^vnSci; !.r i.'.'ii-'so So m4 ;-v<>A -roft" ins hlocit The infos'JTistso!^ ir, hi-;?de. -.s fi-ns-i -..r.-j!? ti'iO bfoc^ is 
■a:i-':vv5!.';,-i T'-.i- -.K-tU crc-3 iC ->r s f;.,ed S:aO Ofico 'i-o osool? hss o^-e'T .-let.r-^.,-: ^\ f^r- ,vit c; ;n,:i it-ei-f 

265 sfiows fho Qoofeots of ti'se bksek nsadsr. the UoGk is so sighi byte si&ld used u> idontiiY ii>e 
!5!o-:k. it ijasted lo ti;-.? ccird wit; ail data block cornmaods in order ro !d<5i(!ify tiK: t-.ioci'; ot ifii^M's-si Any 
It. -it ! vi. ps„m 0 l>"-i i\ 'I.'" , . ?o.'>; o »M to euj'\ v\ ^s ^i ^ . " ^ >v 
The user most pass the conscf token to ihe IC card witii each data biock comfnend in order to be granted 
access fo tf>& bSock. Tiie token is sirnii-nr io & password tor access Jo Ihe biock, I! is deknod by the m&v a- 
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She tisrse th& bicK^k is aiiosiiie-l \n osder to protect ths block sD token iVon dsscbsors, Siey csp bis 
0nayp(©<i unclef m& si3i?S!on key whert tn&y afs* transmj^ei:! to She iC csrd, 

The dsta isngth Ssid irs 256 dsfinss ths fitirtsbsv of S<-byle parsgrsphs ifj dssa sfss of the bfeck, A 
vslus of 5 indissfes that tbsf*? see 8 by?«s in ihs data area, a vaisjs of 2 irsdscates thsre are 16 bytes, aid so 

A ehscksym is stersd sn Shs hssdsr 256 to aibv? vadfeagon af dsta intsgsity sn ths dsta portion of ths 
bScck. Ths ehscksuifs is caicBiatenl iroiV! she siata each tis^'ss ii: is wriite, .and tfse ci-sscksum is vsntted sach 
t!;?5S ihe d^ita :s !s«;d. ii th^ checksum iridicatss there an sfror irs the data r^ad, dsia s-ii^ it-i^ifned to 
i^is; .■i;:q'>.;--j«.i;j;-, i:j;.f! s vmrnr-q cede ^s; retuK-ixi to iufonn Ute r^QuesriiSt of \he error condiiioo 

Thfc iieader 2S5 coniisii^?. r^ad auShottsstsor! fiags sid svdte awlhosiKStisn fiags for ssich user o^iMe 
EsiCfi c;; ■(■>.:; ■x"MA'''-i iC cs't; iJ-s^is ^an bo •■ji^.'on r'^ars ooiy a>xes.s. wets oniy acct-.is. rfi^cwii^^: icc«a?, or 
no 3ccss$ te it&ch date, biock ifxiividijafiy, 

biocK deader in ordef tor thst usor to ds gmf^tod access to the otock, 

A set of flags £S7 m ths btock i-seadsr 255 dafines various seciirity featurss for Jiis bfeck. The 
vyrs:i--::a;ir,fi r•;^a;J;:••^c: tla;;.;. set. ;rid!;;a;'?s rc<M i.isor r(\\is\ iiavs v^dJied dis td«.-ftfc5y bafore !i8 can be 
grf-riis;:;! acce^ji^ ih^u i;:;Ovk, Tije «s^;e csf: v«;r;fy his ider-iity yyiih P!N or with Ssgnsiisfs vgdScatfOn or 
ariosvjr 6:-;terria: var;iio;5,;iort -TiOans. A hsddeo biock flag, if sot indicis',*!? tt^sit the block not bs listed 

i J =0 ^•-U < s < < 0 C'-^ iT 5 ^ St Oil t'""- !C " (i 

A sactire session rsquiirod fSag, if set in 2B7: indscatas that tfjs biock canfiot so accessed ffoo^ a dovjco 
ufiiess that dovico has a ««5ci.tf& sossso;"; ir? eitscl witn ;he iC caro. A ssssio;! key sncrypsion ret;;;.: :3d fiag, if 

wi^gr* road from ths fcicck, wiii as sncrysstsd ■JSsr'a the sassion key sstsbSssftod botwosri tha IG osird si^d Ids 
device wiy^ whfoh lho mcofo session has been esiablJsJisd 

If tim sscufsd block fiag ifs 257 is sef, ihc b!o!;?< !o[?sc rn^jsi: ijs pass;x; to the lO assd tsocfypisO i^mr a 



Rfst. it f&quifec ti^s ovad^tiaa of eocrypt'Cg and dccryptscg <|-?o dais, wdioh ow, bs fsme oonsomirig for iarge 
< 3;a V { ^ t\ ri<i-c^ )■-!.< tv-?!, tpaiat^ Tlit* ' f !l d^ ^ i^ii 1\ 

> iv;-^ il < <- ^ r .0 ' 1 t "^i < u\ 

" e xi or^O"^ i > ^ ^ 0 v~a 0 '-^ui 04 3 ' ^ ^ ist * •> u i m '^c 

5.10 t \ ~^b» vOv \ots c -ix •! ^ feC!>! \> pi. iC ,v d rsSher 

'V. u; o-aa ^4- " ih« iii csid dsorypis 'bo JokS)-!. aod :{ th:* =;ie- rioas r^-r pr>?a&?s i-\=! coii^ci 
r fvptcj^saphio l^ay, !l-.a IC oard wiii recovsr a tcsketi valus that doss mi match fe $oksn stoned in the biock 
t X s r-s *--v -k -fftrsr in rssd or mla rtwds*, wii ihm defied Ofi^y ^roypSor ot trsf, ^a^H 

byte tokeo is nsoijirad. 

Note ihaf stortog •ho dais m sswrypteo form is act roqsjisrad ir; !hs iC cai-d. Tlia daks is storad fn the 
£EPR0f4, which is a scc.jf.^^ covvrc^roefrt. ice pniy oscd for ciicyptioi-i oi io^5 data ^s -vhcii li !f5r(et bo 
promoted as if passes ovsr tns ii^tsriscs to liis iC cai'd. For sh^u purpose. ;i-!0 iC card can accept date 

'■^ -( i . X ^ t T * t v,"^ ^ V-^ 0 *, ' ^. ^ t 

devices is shown Fig. 'g. in t;ic iC; c;ard. tor axampfe. additiooai sod difiorpiU oooimaods sao bo 
downloaded to ti^o IC card cavsco so oracr to osr iorifi additiooal iuocttoos as tiioy are foond to bo naod^jd. 
"-^ 0 0 * " " ! f >. - c. t t'^r^ i C, - —s ^ t , -'^(^posr^o CvVir-v"? 

T 1 0^ 1 N f5 0 f ! h:n t < n \ a ^ 

new-ofk saajriiy piocissSix 13 a host o-s«s1ef key wxiar which ii'^o irs3Stor nme j^jys fc--' ail oiiiar noj-variv 
nod*" ciovicois Sfiss 6!x:tvpfesd. TVso ttcsj trssater kpy so gsi'sjsraiSd roaouaiiy by a prsviieged ami rospoftsibio 
!Odi\fiduai (sociiftty 3dm!f?!Stj'ator.t in a highiy saci.«-a and protactod orivirotitmaof. 
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Us!«8 iC csrds !S vv'HN th^; highest tevsi oi auteity in M user aoJhorfsstion ijn>v<^. ^6 .?s-ciji;iv 
admfftistrstof gsrisrstss rrsastsr kssy parts on his iWS 2S, incofpomting a srypiograpE-io ::;c}>ip(<E.i' 20 isrid ;C 
card rsadA'rtlts uwi 17. and th&n enters ihs host msiste!- key pa^is Joio the n<5K'otk '^colS!^■i ,;-o.:€,=:'=;v,r 13. 

5 Ki&lng its aliachsd IC card rssad/vmte ynit 17 TNs is accot-nplished Shroygh ths of cosTinisnci'i oe^;f-^5d 
undsr a common cryptogfaphic SJXhitectiire speoifyij-sg th$ orypiDgraphic siiruotyre, oofntrssiiioL- anc' op-sia- 
Isofj ot sys-tert? ?60udty component dsvlc^s irs ths systetri o? tne !!iv?:nfeor!. The cofr.irscn c:yj.;:<-.g;o&hi-;. 
archrtectui-e !s d-sycfrr-jd in grsaj d^Jas! in co-psndmg pstent appiicaix:.--! US Seiisi N-jifibeu^ Si-iJU 
{Europea!) iDJJterii ;jpp;!a;fion S3 308 968,9), 533,&1S (Europt-sn psyisoi iipc-ilcatkvi S9 SOS 237,338 

?a; {Enropoas) pcifent ;:piii;casio« 89 308 DT!,3}. ass.OtO (Eisopsar. pisfer.j sppi-cafK-n 3& cs>)o C>7a3) and 
34^,185 {6iirop$<Jrt p&i$nt sppiscstiixs 90 105 9G5.5). AUsrnstivefy. tf;;? secufity adfnifiistfstcr nisy sntsr th«- 
host masfigr key into tie -j-sciitiiy procecsor 13 dfff^ciiy ihro-viQh tn.-* PiN psd k8y!305rd ot the !C 

card resd/wfite unit sjndsr the ajSiortsatsOi-s p^o^tfe loaded iftte it ffoot me s*Kutiiy adsYsinistrstof's !C card. 
The rmi stsp in the pj<ic&ss «? cryptogfsphfc ksy fnitls^isstion ssf t*:® system or network is to gsRsrat® 

•Ji- netwodff nod©- -master ksys sncryptsd under- ths hast master ksy; Tsw^e mssdrrHxa:^ of secamy -In the- 
trsnspoftstlon of ths node mas^r keys ifom ti^s riptwork seciifity processor 13 to ths romots network 
ood«s. ths nods master keys are generated ffs parts and saeh part wdtien into ths sscure msjnory 0! 
^spara^ iC oards 19, Thss step *s shown at bleek 311 ifs FiQ. 13, Oeiy aftor ihs soy psrts aro ssquonrisiiy 
import&d from tip separate IG cards IS containing ths tcsy parts to snothsr system sscurily compenenj 

m devjc®, and cryptograpi-jfcaliy assembled, is the nod-s f?)asl»f key tmpis. impottsrsg of iosding jho key psrts 
into oS?er nods devsces is sJrmmt $tsps 313 and 315 in Fig; 13. 

Alt^r sli eysterri or netvsork «odeg havs isesn $0 inlfiaJi^sd with master node k&ys< nods key 'Sfjc-rypttng 
keys may be psnsrated by the csntrel nst^kork sectirity prcicessor 13 under control of key msnagemenj 
applicstioo progras-ri (tsnntog on iH ^sQSt CPU 11. and orjcrypted m6Qr ihs specific node msstsr key whfcn 

as is h®sd Wfitnir: 3 sscufs k^y dir^c-ory in IM f-es*ork s«C!jrity jsrofiseser 13. Otn«r socmdsrj? k^ys swh ss 
data keys for specific purposes, snsy th.sr^ be trsnspc*-t8d through the eysi&m fsciiitjes. «fK.fypfesd und&r s 
oodse key -^xtvptsng tey. This step appe^ at block 317 'm Fig. 13, TrgnsposlaSon of S^ese keys is 
effected through the host cosrsputer 11. ss siwra by step 319, to ^e stein or net^fork c&fnrfUiOicaliofts 
fsciisties. Ti-i8 secorxlary keys are dowf^ioad<gd at eteps 3S1 mi 323 m a sscure session to sach noos 

^ represantsd by a sscurhy component device such as a cfypto-graphic adapter 2B or &fi IC card road 
w.-ite/i^n-.t 17. Dspisodlng on the ksy o^srisgepierjt strviOkrro m the application, the need tor data keys to tse 
t^ijtd if: conuTfon belween the conirai netwom security procssaor 1S ar^d otsier systarr! or network ixsd^s, 
srd th& teveS of key rrianagssnent contro! deisgated te th$ syetefrs or i>ei5isfOit< m>ds, the sscondsry keys 
may inciude dais ksy« fe- s«fegua?dk!§ the ilise md progfsnss thg node devico. AlterfisSvely, tnese keys 

:3§: eotjsci ; b© igsosfafed: ioea^ly at : node under ts® fiod& mss^r key , 

Fig. 14 illustrates the otf-line inteliigent «fork station (tWS) iogoo pfoce<Sure in the systeni ct tho 
invsottort, using ths system security compon^n devicss descnijsd irs Figs, 1 through S of U)is snvsn.tion, 
Reforonce iis made to ¥1^. I ter devices idsnitied thsrsln. 

When the; ussr ins^^is tf^s pw's iO pa?d, step 38$, into ti^e to cerd fsad-Aft-dt^ unit 17, tiioso two 

46 de\fices establish a ssour^s sossioti betv^son them in step 357. This action ooeurs trgnsparentty to the ijser, 
is i.Hiiit on iho 'ixistence of a crv'pto§raphic processor if- boti^ devices, and rssoits in a unique sssssiofi key. 
Wi-i^?ri ths ssc.i,'e 3-?£?:on has isesn e.sta{>i!Sh&d< the crypi!>grspnift adapter :?B, ii it i$ presont In me !V\fS, is 
<:dv'is:5d by ti-!e !C caro ! -5ad%fits unit 1? thai d-se sscits sossioo has been estabiisi^sci. At step 3f}9, action 
is lh$n ii-iiiiste-J to ■iriabiish a similar se--;ur« session betft'^en ths tC card IS isod tf)& cryptographic adapter 

4S S8, At li'ie concli-uiion of -hfii action, tl-!^ !C card is iri secure sossion with both of ths other dsvicss. The 
cryptcQraphic &d&ptar wjif atti'svipt to estaolish s secure session witfi ths readsf st initiaSizatiOf! of the 
cryptograsi-iic. sdapfer. in ti^s pfix:ess ot ^k'sfet^isstTing secure se-^isions arriong those fi(}\'k.(}-i, \hs3 aytr-'virlicity 
Gt eseh device is verltkd, 

T»o ^tro "-^ too irsjifts-^ psocedur-f i? t-o v-^riv 'i^ie mmt-h >ho ssr-s^ s-^t -c 0 - v-^ " j i- 
ss iiiualreios'fvvo irisuvjcfs of yerfiicsitiori: one past=>rj on Ukj ui^ a yeci'vt p:^: v^^r^iicvaion f-ii^rnbsr \P]N}: 
' .^^v,-' ' ! s-.>r ot ^an r sip'-at r oattv! 5 < ^ ^.tev^irthat 

01 ;-->fgr.--;r;<-.e s^;jii.-i!.jr8s pri?:-«:C0i-.-3g!i :.■■! Ihe IC csni Bsc».us<i -he ^.^ti-.^; o' x.v/:<ani hi Sniierc-iotiy isss 
s;j4i.:Ci;;;!t;!'i.- !<• .:.i;ir<ij!-cr(5ise arid fr>oro cosl-iy to irripietfu^fit than tho for.-.-^e-i . tn*: ci;r-:--e bc=;\^c-ffn ^iie t^'v.:^ 
fs^ons 50 s: value judgment for each spplscaiioo. 
ss i N * msJ 0 !!; (( tj Uoo « Mvj; 33 >>, i tnr^ot f-.- <ei(^.er "> ' - ^ ".j - \, 
pad OS- -the IC c£ir^ foad/vvrito tjnit i7. WiiUn this unn. the PiM af^d a faodorr? numOijr am iSfiisypied v^mg 
tho session ifsy. arid passo'-i across ths prc-soisd teterface to ihe \C oard 13 VVttijin tne iC card tS at step 
333 t!-!8 rsceivod quantity Is oecryptsd. the randnm nutribsr is soparatod trorn vhe PiH, the Pm is veniied 
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aga:^;;?! i.i:e (.r^sr PSN ssorec & tx-e iC card. Based <u) ibB msoiS of ihe versfiraJiof; su&fi>pt ths randorr^ 

5 29 to ths* SC card IS to download ths user's signatyre mfersnce daia. ih© ic'card, She sis'nature rs-lm'SfiCs 
data !S rsjsd ffon> secure memory, eociyolsd, anci passes -nrough ths fC card sssd/wrste unsS 17 to the 
cryptographic sdaptsr 29, vshsra it is decryptad st step S;)7 anc; hisks isi inettiory, 

'ilie^ysar iS then pfc^npssd st sJ8kj ^^^'^ '^''^'^ ^ v8ri;tes-!Ci> ^i^gnaiure, ana ^usisig Ihs sigs^tura 

sdaptt;r a-a, whsfs t.4 signsSord data is dsccypisO i»-t<S piscsfS in jv^sfnory. Vvltnir! tfis cryploQ.'spn'sc adaptsr 
al s-<ip 34 K She dy=iamic stgnssxtm vsfincste aigoriShms. s-g, as <J»scrtS5fi(3 in US PRtsnJ 4,?£4,542 3f.3> 
invoi<6d to sSecJ « confident match of ^ft vs^ifScgSSof^ signaturs dsts sigaiost {Jse mtjiSpte rsfererscs signature 

asta sets, 

¥8iidafed and the am- person's identity has imfi verified so vh© iWS.- tt retmins to estsbSish, within -he 
jN !. t um e' ' c c « ' * e ' " iWc- r.. ou'c.-s, m ^ ^ ^ . .a. 

within rhe IWS. 

;?!> i r h >, ^ f ! "> h K >. <. P I "t 

^ t ^5 ^ I '•■J ^ <•! i. ! t )i( $ t i t t « 

command configuration data and cryptogrs^hic keys combine st st«ps 345 !o control ths use of commandiS, 
fites and progrsms ihroughosj; ti--e sessiof) 
Si V '>ie<' '^6 u I i u i at N ^ v^'i rt i ^ 

f > i , 5 " i"\r>f N >f '\V">i - ' vf^i :> : c-^ ! ' s i « " " 

«d , / e < ! < - a VVS 

" ^ iK< ^ i ^ i . ' ua sWS ,.t: ar-d t'o -ost 0»U 11 iie:;uf*r sassD- se 

:!.'} sstabiishftd ijotwcve ihe .:;y;.>ti;yrepijin adspiot 2B in ih^ iWS snd 8ie ne^wo* s«cynty prsxessor 13. As it 

0 'Mtx •• <i,^re-e - ie^- e ' s conn$v;tipn wSt*' Fig, t4, the ests&iishmer^ ^ sn-iins' 

' Oi ! <' < ^e^-c If X5 n e<f 3? K ' t - . ' < ■=;r>'^ 

."0 V. . " J session aric ths OiicsypfeiJ piot^fe 'S dowT?ioaded &s step 

aSTfeihecrvptogiSDhicadisrusr t:3 in i^^^^^^^ , ..V.."? 

4j) (■ ^^p^^ u ut V c i u ' «ion Ti i <^ li'v s -^d iC -e < i 

t oi ! f* s ■<( Itv-^ U! sat ie 1 f ! < i I f ■<! 8! V. 

to controi th<y ese of cos^niands, tiies snd progra^ns; y" ihe iWS. As in ths ofMins; ease^ icgoti' sisp 
J=5i'- M-^fir V. v'fu'nte ' .Hi^&ort of tt^s Q'Stau t pfOrsi? 

vV:.;ie xto i •,!'in It-'-': dear ' '* ^- t. ~e en-ibodfmenttfjere<?Nn tho fcrm of 

s tfaesscfcon secutsty sysisrs? ffK:is..''5in9 «r, iC cad. it vvsti '!;>a apparent to -hoss skiUed m tha art of aompyfssf 

systsiTi design that She pfincipf«5, metJjods, and ajxssjstiis of tli^ invwtiofi esri bes aiJpiisd i« other 

©nvircfinisnts to ersj-sanc^ th$ security and gmmt fr«i«d. 



I, A s5K:;u!-i{y device oomprisfflg; 
as a dala pnscesser; 

TOijfnorv connected ite said srocessscr; 

data Inpui: arsd otstput irsesns connsotsd ro rM pexessor: 

sscurij s;ess(0« eijsbiishmg Ji?<&ens proga-se-sfrse'd mto said security deviea fof ctietrosiiVj said processor tD 
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8$tsis!!sn a seeifts session with snottsr d^^ce: 

iifi aiahcsrizatjof? proms stored in ssIsS fn$f?^ory, ssid profife denning fhs aushctlty « u$sf of sakJ 5fC5ctimy 
dsvics to cause s&sd prcjcsssor to sxscjjte progmftimed commarsds; 

{faftsf^r trssans for iransferdog at test pan of said suthoriz^tion pfofiis fros?) ssid secynty devSce said 
5 another dwics for conircsiiing said d»vfc$ in dfCiXdanc-s with said SijgiQrsjy o; said usiSf defined in said 

a. A secur^' dsvies comprissig; 
a dsia proosssof ; 

m&ffiOP/ Gowjscfed to said praesssor; 
?a date iop;Jt and output m^atis cormstsd {0 sssd pros«$s8f; 

seasre sesstcsE) ssiabiishing m«ans progmrJimsd into said ssounty device for comfoSling said processor to 
sstsbSsh a sscurs sessies with snote dfevics; 

msans for mc^ivsing^ ^ iegst pad of m mmads&tim prcsflis stored m a fi^smory of s«d asxJsiier devics, said 
profiia deiiriing sts^iiority csf a user io csuse sssd prccssdor to m&mtQ progmmmsd comtrsaods. 
?§ 3. Tiie ssa^rsty ssevics of cSsim 1 or 2. wiisrsin said secuKty device is an iC card, or a i?os.5 cssr^pytsr, snd 
said SR*er device is an ie wsi rosdesj:', cs' a dsmpister vsork station. 

4, The security dsvics of daim 1, 2. or 3, vtrt-ersin ssid sythod^sSoii profiis dsflsYSS ihs s^s^ix-rity o-' said 

kissr es&cute a corrinand at a particiiiar fist^e, a?}d/0' day md'or bmmn Qm^axlm times of day. 

5- Ths socuiity device oi rMm t, 3, er 4> *hes>sio said at^tteixafion profiis contains a piisraiity oi 

so corns-naj-id ti&gs.. ssch commsnd ffeg defining the sutfjodfy 0? said user to ox«cuf9 a cosnmand. 

6. The ^.astiiy device d dsim 1. 2. 3, 4, 5, wf>ergin said auff^orksfion profife contains a piuraliry of 
act^ass tisgs, each scsess li&g dsfinifsg fhe atithortty ol said user fo access a data fiis, 
? T!-;e sscLitiiy x^evice of ciaim 1, S, S< 4, 5, or 6. v^serein seid atjteizatim pfofjie cont^ns a psurafity <5f 
prc'^ffirr iiisgs, s,sGh i5foor3m Ssg defirsing ths authoilty of said user to execute a prograrri- 

Si a The S5.<:^;;-:v dsvtc© of anyono of eisims 1 to 7, wherein ssid autiwixaSo?! pro^ie contains s user 

9. The soco-ihty device of anyorsv^ si oiairDs f to S: ^vhamirs said agthorisa^or^ pr<sfiie contains a usar iD, a 
persons! idsni ffcafiOE-* oumosr, and an id^-nlity ysttsa^swiKi msthod identifier. 
ID, A sec^ r^y o«.vics. s^jsoigtiy as^ !C card, oompfieing: 
m a dais pi-&cfts?or: 

prot^cfefi vCvQ-amirsabb fneniory a^rsmcted to said pfoc&ssor; 
dssta input arsd ouij:-.!! snesr-i? confV-JcS'Sd to said procijssor: 

an su;hori28iion i:.r^!ii,=> s>l^ ?-;c. ■r.S'rtory. said profiio defining wt^oriiy of a user of said ss>cyriiy 
< va =»it^-=*c " i> ^ Pi < vU-ifi^^^ss-> k v.><$> V Ic pfOjj'iimnNgd ^OTi.mnds, 
;-e n!>-"-^ a ^ ok : ><ux vy vi- aifthcjosed pojson 3rtd ssomg said rasoived 

* 5 l<^!( t! V. i istoadttsS-jofizstirfsp'ofiS 

ds^-; ;>k\..k;; -.r <;i;:c ^.acf- <.:;5to bSor-k havsrsg a hftisdsr. ssid i^sader eos^teining merrsory access 

40 !rie,sf:.; IC! c..;v:j;\ir;:iQ s:=id -:-.c :.f.c5s !)!:i!ux:uis;t!*s with tiia ai-sSiXid^aiic-n pfofiia of sjsfd iissr. 

52. "ns iC o.afd of cfaltTi n vvhsrssrs ona g? said sccsss pmrepuisitss is ars asujhorjty isvai and tufti^ar 

fi!<5ans for coa-ipartng said authority Isvs! an s.«thori^acn iew! stored in ssjd users autfjodxatson 

profila, arid/csr 

vvix.-iein onpj of said accsss praraquisiJos cotripnss a (^i&a fiavs ^^rtd a >'.-n»a fo; eaci-i t-:;;-? ^^no iurttiar 

«i&ans for aiiovving r^sad access to Sfitsci mamofv orsy said ?«ad^ i^ag ;S sot snd aifewing wsiis acc*sss so 
said foemory oniy if said writs fiag ss ssr, and'or 

0. 0? S .V ,JV.-J Ceej. -i..>'i\ . s.o.-..je{t<JC f«0 !,<{! .Jt\i .!^' - X'-, ) 

•0 f:X;;5r!S iof aiicvving acst^ss s&id .'naniO'y oniy If said iC card is if; a s&cisfo session wiits snoihc; Jc-yics: 
■A'fjici-: is requssiing aosass to said men^os-y. 
13. A ^s«c!.!fiw d^vfcs oomprisfRg: 
a djiia pfocessof : 

> c >. 5 1 Ar r» •^•^c-y c> -^xix ^ ci'U u>i ' j's ' . 5^ 

a piursiiiy of cofnrosfjds iot cositroiiing said proos^sor stored in said mssnory, esch cornfnand having 
piteaiiiy ot progtsrnmabia SKSicufion prereqifisitea stosgd in ssid memory. 

\4. Tf^s sscor;iy dtivks oi cisfjvi t3 ^vharain ons of sx^id aj^^cyiiof^ prt-rsquisitos <s srs a.?tsbiis{}&d ssc-u-s 
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3ftssi0!s {>«5iwe8n \hi devices aJfsetsd by the corfnTssrsd; wiisfsisy ibe otxTtsTtmxt io which st fgiaies wiii sXiS 
bo $fiacLit4:;^ ■."iisss: s secure sossico has pir?ivioy5?!y bs&n sstabStshsd, siici'Df 

^ f ^ ^ <^ ^ ^ ' s ^;(.\ ^»rf e^tiO!t \v*"vjf5t>y t^oc^ ^-'raftJ f<^ ^ithc )t 

V. tin 5 i ^\ ^ KK l.feR'5^.!'^ v.'- ■■ '^u vNtc^sO" ?^ wfst "-i'P ; " ! is> 

tG!Vi;T:a;x; niis. t&>5ri vf?!iii&t5 fifjocifscsiiy for e«ch exftcsiiicii of said cosrsnwid to vvhich f€iSai«iS. Si-sd/Of 
\«;-;«r6;n o^re o; it:ii^ ex«;c;.:-iof: pff:fequia:;i5i; is lifvse *i-.e,-sby a Ci3mft>snd to vvhich it reiatss will ixs^ be 

of ii-id co:f;r:;3i:d suihsifi/^id to exscuie said axnfoand: and/o)' wj>;srein oo& oi Sd'-d e>:f:Cy;:on prsreoi;:- 

!f«.{t::5S*J:-ig ox^ C! ^liOi'i Of s^id CGnimgno ^5?. S;! autiioris&tfOfi at or above spfsci^ad isvsL 

?6. ryltiihDd 3? coinmuoicasing s ^scyre bootetsn rssponss, yspeciSiSy for ttse in s oevics os sjiyonss of iUe 

b} sftcrypting ssid rsndom nt^mber undsr a key; 

fi) ssfxiing said sncryplsd madiiisd f3;'idom rssirribs?' ia iaid t::-st ss&uftty dSiVioe; 

\} convci'mq ss:d ntoosfied rsfiderf: nuniisei vs;$h ssid fancosn siUiT^s;);?!- to deienriine fs^ponse^ 

b) using s poilioo at said (anciom nomSsr te sslsci nst o; ssid yaius; 
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fO'finf^Q m {.Siiifeng fi'*T» c^ustfS catfs!* to petntrg <tim *his revfeng m a pao'Of t-rt rsmg 
'v*^ ta X' ot *he -ifoc jjfsted st^e! ^hee^ iho'o '^afler rete rod te < s tha * Wot? 2"? 

onto the s»Lffat& of Xhf^ z •> f 5>teeS 4>hoK=s* n pff>si>-b mm m *o i^t^Ds^ve < rtiVsclsrio o; ihe is*^' 
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a^ie'ssj pos&s howevs? the fosswfog ptobSems: 
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impossible to ma^nsasfi ihs onsniauon of i^^e Cfv;;i-r:is oi <;"-;0 e"ici--Oi,:-i?.tir.-;; iiye-f aioi-^g the- {K'l'X) plane 
s {whsrs; X Js 1 . 2, 3 or A}. 

A mvafss: X. ^ ^ U f f ' . 

Unctef sue!) cjrcii.-rjsiiinces. iii^^ie is o strong tiefn^iiKs lot Ui-a ;36v.;.icprn«n* oi <= .oistad ste&i ^^h«jst 
s>!csifent in antifriction, cofttssion rssi&taftcs and jiaiftfeng adaptsfeifaty, but sucfs a plated ste&i s^issi has mi 
as f&t b&m proposed . 

SUfvlMAHY OF THE INVENTiOf'J 

d^gr;K::{s5ri;-:&d bv ecJSTfOfiStrtsv 

a Sine plstiag Isysr fer.'nsd on at isssi or;e syflace of ssicl sieeS sheet saki sine piatsng layer leaving a 
ss pMiViQ *'$ight mttm a rsnge of Uora 2b ;o 1S0 i^/iVs'- {X;r ssjd&cs of s.«id sts?*; shsitaj; and 

af! eSssjtfCtpiating iaye! lofm-Ki ot> said zmt:-. pi&tisK^ l^yer. ;5.^;Ki ^^S;^<,uc■;5i^itin9 iaysr con-iprising at iimt 
one siemom sel«ct§cl fs'om ihe gioup consisting of ctitomiuf?-, mang&n&ss, iiOfi, cobalt and ••sickeL and ssid 
siecffxspiaung saysr havt«Q a piaii^g wsigf^l withi« a rang® «t frosr^ i to 10 Cjsfrs^ pB? surface of sssd steal 
shsjsl, 

BRIEF DESCRiPTiON OF THE DRAWif^SS 

Rg t it; 8 Qfspb ii!!.!Slr8l)rig. fcs' m pist«d St§$i sf!e<i| of ths !;if«$&ni invpntiori, mhKb hss § sisK pfeting 
iavor ts a tevv^r tey^sr formed on fho syffsce of the stos! shsot md m sioctwplating iayor ess ijn uppor 
sfl isy^f iofrnod cri ti^s zm plsi'tx^ tey&f, r«latior*«h!p b&tvsesn a Mctioftsl CfXfifcisrst of tne pisfed siseS 
sf-iM:5 and s platfE^g w^iigfu of Ifio otedropiafing layer upper iayef; 85x3 
Fig, 2 Is a schsmstie front viow iSiastrnting sn sppss^tus fdr msas^iing a fricfionai coeffidsiit, 

OemilEOi OESOBIPTjQN OF RBEFERRED ER3^QDIM^NTS 

Fiorn above-iTsgriilottsd point of vfsw, 8>!t8nsfvs studies wsrs dsrriad oiit to dsvslcp a piaS&d stei5f 
£te>! hiUv'in^i two pmrng igy^-s md sxcalissit ir? anfiffidior?. cormsiori res!s5ano« mi pasnJin^i sdaptsbiiiiy 

As a rosyli iho foilcwmg fiodin^e *¥ere eb^aineci:: 
A pteied «tosl shs:e:t Haying two pla8??g isy^^ jjrKi exceiEent lrs igntifftstionv:t»Fr<^iOf:r:f^^^ palnSIn^ 
m gdsplsbfllty is availsbls by the following steps;. 

(t's fOifViino a ^;r;..^ piaisng layer cvi at ieass ons; sitrfacs oi a sfesf sf-eel. 

■ ?! I n)!ii!!^5 a pS;sl";tj wf;ivjiu oi ilic .-inc pi:=iJfBg iC)v'«t wiiiiffi ^ fsogo oi ifotn ?5 i50 g tjv^ per sudiCiS 
the sheet: 

.'i \'. -v-.^ iii si*c-!-op(alj«Q layer cornpns!J!«5 at teast omf eismsnt sstsctsd from tHe gfoap cons:Stin8 of 
-ffi ciironsii.:?!!, maffgangfse, trOEi, eobaft Sftd nioW, m 1he aisK pfeSag lay&r; sad 

■ - '!f5.4 ii piatinq «otgfn the §iactrepUi^r^g iayof whit} a range of horn \ to 10 i;e! serfaco oi 

Thi prsj'^.ent ;.T>.'&fij!Oi^ x'oifi niade on the dasiS of ti» aixiv-s-sviontionsd lifidirtgs. The psaUid sfssoi shest 
oi p!8.5{:ni: inventio.-i iiaving iwo piistsrsg layers afjd eKceSitJni in ariiiffitttion, corrosion rt'ssstsnce and 
V; pist;nn .;:J;;p?abii:ty u? dc:scr;n5.d btLvvv with isferencs to ;I">;J sts-ax-vings. 

Ti-jS p;,si&d sifol ol ihs p?s«ss:nt invorstlon ©!--t;©i!<5.it in ansiirsciiOiV '.orros^on !f'Sis.tancG and painting 

v> .i i . \ 5 ^» ^ . . ^ 0 c'aJ' ;'av J kn-^tN -y^ '< f.f ,>i i . t aBf<3«' oi 

Th8 sine plating i&ym as the io^s'.^; iiyer ?••;■! !r,.^.;! o-; a- l^iu;! ■.-ne sja'scs of tf-:s stesi -sheat has a fyndion 

Tins ;;!ric plating layer is laoTied by «3!lf(«r of fha olsc;lropist!r!g inoSiixi and ihe <lip-pS«fjri9 <nelhod, 
svHch afs now vvidsiy ciilfvsysd as an liidudriaitzed proe«!esfi!S. Wj-son fomilng the piaSing layer by the 
electic-psatinp rn«si>od: a xinc oiectropiafcn') bath ss saSftcl&d frr^m an^ong a batfi oontaimng sii-tatfi. a haf;-! 
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§ayer as th« uppsr iaysf' in addisicn, wstn a piating waigrn cf Ine ^snc platiiig layer ot over 1&0 gim^ per 
syrface o? She sfsei sheet, whsn Sormifsg sine plating iaysr ijy ^hs dsp-pisting msvhoci, a sine deposHion 

coriduct the pm^s-formsng oi the pasted Si8«i shs$i The piating wetgh- ot She ;cir!C xMing Sstyer as ths iomr 
% .iaysr should therelas's fee- ISmsfea wsthin s fsngs of frofn 25 to ISO per surtase of th8..8te8i sisest 

TSis etects'opSating isyst as tn?; uppss- isyst ^ wtsich ss totm&d on tns sirjc Oiatisg faysr as ths So%ver laysf 

X ^?>ij i k*, ik^a 's. c*^ ">t vi! <n<i wkvi ^ ity vCif ^ v v > v>sv.! tv<* vy 

high c.;-st5?rin9 rssistsnce and an exceiie-f-t sntitnctiors, S^nce ail fhe abovt'-m^sntsoned sissnerns hsvs & higti 
mei?s«i5 point, st is dit^iC!;^ {■> forsn ^ jslatiftg Sayer of ihss« ^isfsWiOts as me upper iayer ost She 2i:X-; plating 
iayer by n\a dip-pUrSng tt-'jthod Th$ eteciropiS-tiftg Ssyet oS th<;;5g tierfiisots sss the uppor igyef is therefore 
fQirr!«d by J^")?; eledropiating nisthod with fiis ys« <3^ m sJsctropiattng bath sucfj s batH cof'stsining suiisss, 

cr"^ 0),,-^ -.^s, a iaxHO^ a m^iitrs of ssasat^! and '-^"^"otidie oi a i:>iJh ivmimup 

K§ E^ig. ■! !s g'tspn likis-rsi-injj. !<;:t -he pisit^jd stssl sheet of tfie preserst jnventior!, which has a >:ir:o pissing 
saysr ss a iowei- layer lormsd on xhb stjrtace of fhe sfeoi sh«8t m ef^jctropistiftg i^yer as m upp^f isysf 
formed 0!i the ^-no pjsstsrsg iay^?!-, the vsiafionshsp bsiween a frietioi-iai coeSicisot of me pi&tad stesf shssi 
i5 plating weight oi »ts ei-iXisropiafing lays? ^ ffis ufTtpet feygsf, ^^SOfS^ pgsrSicyisrIy, s £inc e!«?CtfOp!at(tV3 
usysr ss a iowsr iayor having a pfafeg weight of 60 g/m"^ par surface of a stssS shssf was forrr^«d by th<s 

;?» f:.'fecsropi«ti?Xi m^fhoci O!-) am sutiace ?>i the ^eef shes^. Ihm, 8 mcksi sfectropiatiiXi iaysr as an uppm 
layijr was formed ort th^i sij-sc o^ec&opiatsng faye I3y tfjg ^IssCtropfatJrtg tmWid wfsis ch&ogsng th^; pUuing 
weight of ths nscks! eischoplatmg isy&-, A filctea! ccieffics&vst was m^sisrsd for sho pfatisd sfsol shset 
hsviog thg; tes ferrnsd fwo plating faysrs. 

A§ is ci^ar fsxjtiiii Rg, 1, wh$n ih<i pfa{«>§ w§s0ht (jf th§ riicksf gisctropi^ttfog fay«r m ti'^ upper layer ts 

ss omfsf 1 g/m* p«r surfacs of ths sfos! sho^t, the platod stool sheet has a high frfctioE^sf cosSioient. Mjoo tho 
piatsrg wsight of the tifcS^ei sSscfroplafing layer as the upper iaysr is over fO per surface ot the stoe! 
stiJHit, m the »thsf haod the ptaf^d stsee? sheef has a iiOhstem fhciisoaf cosfiicrierit eS & isvs! of yp io 0-t< 
which do$s not decrease t^elow ti>?s levof. This appiies, not cnfy i<? tft* case w^ere fiie above^msftfsoned 
ftlckef eiedroplatlftg layer is fes triod ei^ the uppsr layer . foot afeo to Ihe esse si^ore an elecfrof^atiftg Isyer 

# cc-frsprising at feast one slorfsent eelected ^om the group coos!Sti?>§ of chromium, sr<angarjsse, if on, cobett 
and nhiKel is fccn^ed tiis uppct k^yer. 

When fhe pij:!!!!9 vv-ssght oi ihe eiectropfaftfji) i&yef the upper iaysf ie tiixisr i ?;'rr;- per suifaix; of tf?e 

of the piste!3 stosi sneoi is dsterieratsd, Wfion the piafeng weight ot fii® elecfropSaliitg laysr as tho oppor 
45 isiys;- (S ov55f tG g/rfi'- per Si.jrface oi \he skis! sheftt. on if-fg otfer nsrid; !ii8 !r(CiJ0f5ai coefficient i>f tiie pistsd 
steel sheet becomes c^mstam at a fevss oi up to 0.i , 

' i ! --^^ t iMxf 'iMh-^ i%"t<ot at*^" kvc ^t ^, ^iXiorMv >' 
f;:3i:.;!ai^5d. b^i siro ooncn^Gf: resisSarscs of tho pfat««1 ste-si steff fisayesie poorer. The pi.aii;x; vveigj-st o! th* 
ei-5C;iopie':;;p i^^vs^: AS: Uiij yppor laytJr, which cosnprieee at fea^5t ofsc esespont soieou^c; tho 'yow:- 
sa oorisislifjg ot .chromium, msngaoe^, iron, ctxsait and rsiok©l< shoufd th^irsfsm t3e limited withsn s mrvge of 
from \ Id Ks g/m'- per sttrfacs of fhs sseoi sdeot. 

As descfifoed abovs, m oscoltefu erftiirsclioo is unpaded so }.t«e pfei<5d siee! sfmh by fortys^fi?? Ihe 

i f ^ ) > » c vt.f t h > JS O! ifK, VSft>^ WU^'JO < fjvv >{ f » 1 Sw 0 y f f 

sorifcre sn^ i!.:s..t ^h,. -t cofnp-ises at least one eiemeof seisoted trofn the groisp coosistsng of 
s^5: ^ ^ ^ v-f* o ffw w -> a fft^j fa>'t. a-v 'hr f^vsc> !o>,>-.r I v r^rsoe of 

Sh)Si is ijstiiriaisjp iss be as ioifows; 

The ;tisK pisting iayor of the ;;inc. piated steel sheet has a tefafively low hardness Therefofe, the ^inc 
plabnQ Isyor h&vlrsg a tow f^ardness is deformed upon ff^o psess-formi-ig of the sine plafed sfoeS sheet. As a 
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p!:-? si«t^<^s of sr^ <*t%'<5 'Jh** t ite <*isc sop tf>i> iayeir i^slh^ ap^ssf liysritsom 

piii-y^ a of ths prs-^s A & b al ^ son? ^.f^offjuent oJ piate<1 J<^8l "^^t he f^'no 

0<.f <^ ! t*c$ 05 is « si$i i I te^Ki\ (ft « !<,<- siitnl *fs^fO((a! cos^f si 5 a i v<*" wJ^i ^ sio kt\^t 
osoroasss trom ssvei. 

io, lis f^ertf-^o^iffty f»i« s"^ t\ 'i*y^ « v-^s-<i>-if 'j^s t %5 * 0\ « ko-^ ft* ekthd 

atl»sfet5i?ityi ox:G8itet5t emf«ii«q resistance to tho pSatees st65«i shsei, 

Moss V. Valy , f /osOijesi > pcsCvjt^SiJ «sfv<m }y «r>f^r5 "otm g >jia *m-j tiin^ by 

tf^v, f J {«rs r IhtJ pstntfg it -n 

H'>¥«s. «s h<3 ©s'^fo ia{ii§ ^ w> as {fie uppes c f^e r *^ stie^! "x^mt <^t hs ^ftt 

■^mng iin? th« <^ sn \ oassstcig sdivtauiitvy 3*i syr^slten cratsrsng stss^nsncc of 
r>5S!&cl slses sft«8t, 

1 pts it \ri V <<, tvti. plSfl'c; iiViJf <■ < <■ Ht sil ifs 

V af i fi«^ a't, tSv^fSi / is <^«>v bi.4 i>J0^t m dst^i! fey rneap^ of 



«-^s-np«*« htfsf^ -nfatft>3 



it » 
, f hf 

X litU i-i- 

fi t ■< abi> t 



»f { ( > i ! i t c whs it -i^ J"- 

'*tfi.rif<^<. i(\ a owpatnq sfnio'" V'o '^ito? ig 



fi tti^ ifif!<-Ui"s a h 
?t -i i JO fAi <^ 



m Pfettng bath: m'm^f&km: 400" C< 
The iJi-iilncj vvBtfi^i. was; ctJniKiiled Oy \hQ ygss sqtstso; ' ., • 

Ti-ii;:-:, •■-! Uv;: i 5h«s?ts h?iV!nci the- sine oie^-; ^ , ■ ,! or Jho zi'^c o;:k!-s>bt!!^<) U^vi. iori.-sd 
on sach Oi tf^s both suffscss thsreot: was subjsctsd lo *!»ct--x;p!at!ng u"v:i»! sf>o!S^O( conditsons 

shows-i aim in Tabfe 1 to forf!> as e^-getfepSatiog feyer as; aa !.;pij8!- SBver. vvhich cof!-:p!:s;8d 3t Isaju on<3 
8!■^(r■:^.■n^ j;oi.;.cti;ri S.om gfoup ccsnsiiliny of ditOfnkJjvt, mangafiesy, uor% coDaii and s-sici^';.;, en Uii ;:;nc 
^:k-!Ci!\ipi«;ir:f; iaysr or the zmc dip-pialsng iaysf. Thus, san^pfes ai ths sfeGlroplated stesi shest within the 
icoiie s;;es«ot inv8«{!!>n 0weina?}«f mfetmd to as tha "ssmpfes of ihe iweiiiion") Nos. 1 to S4 were 

Fd?- 8ac^ of sarrsptes tiis snvsnjioo Nds. 1 so 54 tns piaS;ng wssght per surfacsf at tt?s5 stesi shs^i 
mom also ifi Tabk* 1. 
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Fof con^sarisofi pufpossss^ each of stee; sf^e&Ss idsnticai wj#5 Jhos© sfs tfe& sa;r^p;<&s of t'm mventson Ncs, 
i to S4 (axcsspt for Mos, 3? ano 3S;, was sofciected io a canvsnfeooaS (isgmasing liBstmsnt and a 

bo;h s»rs"3css of v^hkij m$X was thus f?jfr*ove«l. was suUsKUed io at? si«ot!i>s>!atif59 tirxisf the; conditfons 
shown >!-! T^*se 2 to Iwrn a ^Inc efecJtopk^iirsQ i&>«5ir as a tower iayer on sacfs of th<& bosJ> s«f1ac?:? of t^fi 



steel sh.S6t, 

r,;>;'nj.-;5ii;;o:-.") Nc:^ ! k- " vs';--;: p)^^i.•;r5■■■; Essch oi the samples ior comparison Nos 1 arid 7 had orily 3 idix; 

§ach 01 th& san^pfes tor coi5^p&;-isof! f^os. 1 as wsu as stemersts and ihe corsi&fits shesBot of Ihe 
K? eSectfopiasi-xj fayer a:) she upps^r iJiyet, a(!d the piattog woigbt per sisdacij oi iha s^BBi sf::Kr; .of ihi- i:bov'<5- 
m&ntiOf5sc5 sfeetropiating teysr t<x each ths samptes. iw comffSfison Nos. 2 lo 8 ar<s also stevd in Tafcte 
2; 
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Theft, fer sac^i of {he 
snoafis 0^ pftdofmavice tests; s 



to 54 and the « 



antscorrosive oiS wss; appSsed and frscsionaS coeltden. ins sampi© tor corn jjais son No, 7 on am smsce 
01 wrsich ihe htgh-vsscostty iybncanf ^sfes apsised. were me&$iured wiSh tiie wse aposiiaJi:^ as «hi>w;> m 

attschsd vertically so tm rack 2, and hsvs^Q a phjraisty of roiiers b ort sns ijpDsr «od msrso^; a sypponmg 

t i. i Dvl-i I Mf j of i c ! 1 t I ? t >Si t 

supirfO!l)!i8 stand 5: a pfssssrig b^ock 4 fiS^s-'d to a h&m d y. f- ,! r'C0.i>'5c.i so^'S^d the 

■'0 * j ! ' < ^ « * > if < \ <■ Ihi) i " i ! Si f ( 0 5 \ * !s 

previds^d ors snoThsr rack \h for riorizcr^taisy sTsovsrig ti-ss slsdiftg sabia ^; ano a sa&orid iosd ceii 9, provided 
.('&' btivvi58!"! sn ;5p-jr:5;i:ifn:s tod K; onnecffv^ -^o 'i'la .^iKii-Xj siib^s ds-JVin-j f>'!«;o;'!ar,;sa-> a-x; one ••.■■lO c^;■ ;he sli>*ftg 
■tabfe hMt irmsurmg m force «sppiisd norixofsteSy to-IJ^ siidsog table 7. 

B>' opssatmg the suppoftir>8 stand drsymg niechsnism. th<5 supp-sftinQ sisod i.- -'-'as -viovt-o v:pvv«rci to iist 
up tii8 siidins Jafcis 7 m ms uppet' s«ffac8 o1 whsch a sampis 1 was pisc?^d Thus six.- upp-ji- s:ur!sc$5 of tiis 
sampte 1 -xm pressed agasnst the lower sftd <s? til's preestrfg fi'c-ck 4 stfd siii? ac)pi;ed in Uis ano^^- A 

W dirocSon was; rr5easiJr8d foy mosns «? first los«J eei! 8. Thar-, Dy operJUing tho sitciin^ testis dnving 
m&chaoism, {he sliding tabfe 7 was fioHxontally moved in th§ srrow S dfrectsorj, t<sg^her with sampie ? 
p^aesd on the upper sutlaes tftarsofs and tse tores P appiSM in ths arrow 8 dirscte to the siiding tsbfe 7 
fs&s. rrxissuf^d by t^^e^s of tl>e s«C!>f5C^ iosid s$li 9> s\ mw^em ¥»fw $MnQ tsbie 7 fa>ach«<i the 
fPCtying 3p«sd of 1 mjminule. Ttse rslio ot ^jg force F to fores U, i.e., iho ratio FfN was doSsfmmod, md 
58 t^iS ii^is d^-t&f mined vak® vsfss used as ths vabst o? Iriciioria! coelfscierit 

(2) Craterir^g r^stetarsi^ tsst: 

05 sho ssTf^pfes havij-sg s ysiijtf) of 70 mo? a isflgtft of ISO mm was $t35sjo<;l«<i to 9 dippsrig Sype 
piiospf?sting for a steel sheet for aytomcblie in a phospKstir>g solytlon tprod^ict oarrje' PBL 3080) 
maii!?actti!'Sd by Nfhoo Psi'ksriarjg Co.> Ud.. to form a phosphate liim on the sudaoe of Ihe sampte- Thsn< 
ths sarrspls was sybjecfed to s cstiort type etecSropainfinQ m\h file «se of a psim {product n&fn&- ELeCRON 
8400) '''^miJaclviroo K& ?s?j Psitjt Co Lta ynticf the toikswlrfo cc>«<Si^Ofis to Imyi s paintin^i film having a 
thickness of 20 um on the phospfjste tiim; 
# fs) imoressees voitage: ^Sd V- 

i: ! A'-'" -> o.'iAd**^ a'(<^d'^ sx" cat^f^O(% 1 

i! r ' ' V t 3 {xnutCN 

i R "0 t --.,at«>o K o^f»&is v! me comber of aal&rs pitsdiicsd ssi Ihe painiiftg Uro 

45 ;!i < < fif it h |( 1 \' 'dm as descpfeeo ab<3v&rrhs crites^s tor sveiuegcMVwere 

'"i i K s 1 ^'!thit^ a c«c'€ 8 <Jis?f}e{os ol 40 mm &t the centos of tho sample, 

> ' o latt •§> 



Oirrosfort resistatKNj was $va!y8i«>d by rr>$ans; of st-sdofatfon residerfc^s ar*d bfesl^t f!&{-sstaf5c« as foiiovifs- 
(a) Peftetion K5Sista!x-;is; 

As if? the cfateriog fesistaec^j iijsi as descTsb-xl ebovs;. e pijosphate; iilns was tcKfsjad sxi lix; sinrisce of 
oacis ot the sarnpiss. and a paifstttig liftf! imvmg a tf!ic.i<{5S£e of 30 iirn was forrn^jti oiJ thi- phosphate iiln) by 
rnsans of ms pU50jroi:>ai;Xint}. Vhcsx a noicsi was provid<-x1 m ihe thus forrrsecS patns-i-ig film. Each o5 trso 
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&-cte<3 to She 60 cycles of co-'o.^<0!' t-^tu^ and ins sria^imiim corrosion cispSi^ praliiCiSd the steel 



m upp&f psmimq Islrs- hsvsng si in;c:kn<:SS 3S um vv«(« lorirsiifi Ofs Bse iosmsd fewer psiifiirig Bm, 

ss was. exposed v:> tv-e op<?fi sir f&t & pmiod Qi ons yssr, diififiQ v^^ifth $aa water having a iCH^iti-r. rJiiCiids 
co(\im'' of S ■''<-i.% svas spfaysd ovef the san^pfe a rsts of twsce s w$ek. Ti-ssjn. the maximujri biistsr widti-s 
of th* psiming ?ifm was msssured on ono side of the «otch on tt>e sample aftsr ths sait spray t>?st. snd 
bolster jsststsffcs was ®v&iii8fed by m»&f!s of ma thus msssorsd m^imjjm blister widm oi the pamtjfig iiim. 
The cot8«8 for 4sv9ifci3tson v«SfS as folfews: 

A; A m8>om«m dor vvf?Sf5 of yrid^f 1 mm; 

B: A maximum bSistsf wscJih wsthsn a r^ge ef frem s mm to u!>dief : 2 mm: 

€; A maximym blister width wSthirs & range of from 2 mm to under S S mm; m6 

D: A maximyrft blister v«dth of a{ tet 2:5 mm. 

As is cisar from imh 1, sil the sampfos of th« Sm'smson Hos, 1 to S4 iiad s fricsioaai coefficient of up 
m to 0. 18, m<i mf& thereto sscesStes-st in mMmihn. 

As! ths> sssnpies of tte iwenttof) No§. i to S4 wore exce^sern ifs pasoSn^ adjjpia^siSty ss typic&liy 
rsprss&rsted by s High crsfesrmg resistance vifitfj the number of cfstsrs of to iO produced within a cirois of 
a dismatsr ef 46 mm at the center ©f ssmpfe as svaSuated by A- 

in term$ of p«fiorsttoo resistariic& «od resistas-ice* wf^sob reptosented CQOosigft restsi&rice. 
Si; although ssraptes of ths invention Hos, 34 and 3S were sllghffy poor, all the other sampies of the 
jftvsntjon wgfs sxoeltem, Eash of the samples of the miisentfos Hos; 34 SS was sisghtly infesw isi 
cortosiors r&sisiano© to «8Ch oS the sampies of fh« tnvenfeon fte- 1 to 33 and ^ io S4 bscsiiss the plaiing 
w<;-ight of the siix; etectropiatsng isyst of each of ^5<g sampfes of the iovention Hos. 34 asxJ 35 wss smaller 
tfisn tfsat ef eact? of the samples of the: Itwefttlors Nos, t to 33 and 36 to: $4. 

.A.S is evident from the above description, ail the samples of the ir?veftt!Of> Nos, t to 54 wors excellent m 
mmiitfm , corrosion mststajiee :8r?d palotsrsg. adapfsisitity, 

.As !i> ci>->8r horn Table g, \n cor^tmsu none of th§ saropfes lor compatison Nos. i -o 7 sstisfied 
t:i!i~;uit«;.toL!t*!y the fotiowirsg throe lavorabfe merits possessed by eacti ot the sampSss of the inverition ffes. 
1 toes4; 

^5 {ij 8 trfcliofias ooeftieisnj: of up fo 0,16 in the snttfrscticto fgs^; 

(iij a f?ni:<;r'ii!!T) biistof wsdtfi of yoder 2.5 mn? anct a maamom corrosion depth of undor 0.4 mm m the 

'!!;) .s rit;rfn:>8'- ol cfsders rs,or&i&rtt)ri<) psintso-^ adapi&Oiltty of up tc 1G in ih& crajftnrig fvj:;:^i«;i<:f' fei.;. 
Mcstt ;!>■; : >' !t-!t sarripte for oofnpa'isofj Mo. t fsaving ibe ^ific e!ecS:Op;f;ting i.i)>-j: ?s: (r-i: .;!!!<;:-;.• 

V. ,jV, ' ,.«!\l OC :h.J or-t;0^i!v',-vV OtS a 5>t&Ss! ShtSOt OS' fh<^ >vJ<\3.>. iV,-= • f-0';o:^"i 

co^fiicies! ot 0.3. The sample for eompai'isoo No, 2 having a low plsi;??^ sysigiht of tb& riteksl sisaroplglmg 

Si5!f)pis5 lof oof5'!pa!i.'iO(! N>:>. 5 h<ivin(j ihe ;-:!!x:-raoiio! {siiov efoetr<ip!S!is"!g layer as ths; sipper layer, which ws.-rs; 
oistside the scope of Vm pfcse-ii iovontson in that tf;-,5 siecttoplatincj isryer as the upper layef cofisslfied anc. 
were poor c.ralgrsiig !«,^!Stance. Tii© saiTspIs for comparison No, 6 h&ying a ;ow piafing might of the ziiK 
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msiSJS3nc& and biis!&f rssisisnse. 

Fuflhsiws, a high-vbcGSify luDhcanl on (owiua name: FERnOCOTE 6I-MAL-HCL-1) mamsiacfefed 

J !, ^ U kt V i X. 1 N N t t !!> Sr / u 

s Jhs sa^Die for compansofi 7, and an a ViisViction fs.c-= a^. <:;<-x^.:.;ir;t--i at-ove v\a'5. effected on the samDS© for 

■> "^^f r '5S!i5.d ^ it ! < I <' vM'^s, ^ Ml t i ^< ^ > f ( o'< ' >;< < 

i;^^o^•ft■fT;,^:^;i<^lVl■d tc^rvipi^: fc; co^fipartsort m. 7 had a fdctfomil coaft=ok:nt oi Jhi. ;^:^'e^:L^d Shai ti!<5 

y.o s.:ii>x^ ai:;r:uri:^ n 'u. ts^';: ; ■ :hc sAmpte for eompafiscfO No, 7 applied tfss h(Qh-v!sa>S(Jy htaimt oi! 

w which was very iMtcm to fetnovs. 

sh^;<5t h&v:;^o sw;. putting iay?^^; a^id iv;c«iia!U m mmmim. corrosioo msistancs and pairsting adapJabtiity, 




a sine pigt:f^5 igyer formed on at isssi one sudscs of said slesi sh«-st s?od anc pk*n<^ iavst having 
& pt&hng w&sQi-sS w^hm a rsiigs &f from 25 to !S0 g/m^ per sutfscs of ?aid ?;t--^-f k a-.d 

W gn gtesffof'iatifi-g iaysr formsd on said ^inc pfaSng fayor, s^Jci cicc5\pU;;ir.9 f,>ef <.:o!T-;p:;3"5g j;- 

tet on© slsms^t sei«ctsd ffom Ihs group consfstitsg ot chmmsum, msnsansse, mn, cobart sf?cs f-»cksi, 
and sssd etectrepiafeng iayss fiawog a pSafing v^eSghf wifhsn a mngs of from f to 10 psr surfsce of 



d pfstsng fay^r is m xtnc electropisSrsg layer. 



a A pitted st«ei 



n soy oos of Osims 1 to 3. 



fiinarty onsoiaaims f ?»3,v* 



d ift any ons of Ciatfns 1 to 3. ^-^ 



a \r. my m& «f Claims I tc» v> 



m ^sr»y am of Claims i fo 3, \^ 



11. A puifod sf«<5l sh«vjt as ciajfrs^d irs soy ofs-^ oi daffris i to 3, 
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i^BKl %:i--5!.i!x:;:-!o:!i!(5 iavcf comprises iron &m ohmmum. 

13. A plated stssi sfisot as cla^msd In any opi^j of Claims 1 to 3. wiisrein; 
s saici siectroplSfsfog iaysr eompfisss coDan snci nick&L 

14 A piateci stssl shsist as ciaimsd In sov one of Ciain'iS 1 so S, wnjirein- 
sa!<1 eiectrooiatsng fayer ccmpfisss cobalt ss^d rrsangsnsse, 

io IS. A pialsd sts©! shset as. cissm^d In any ens of Claims 1 3. wh^resti: 
said eisttJtjplsting faysf compnsss cossn and cmomiym, 

1S, A pSafed stssi: shssS as dais-nsd in any ens; oi Ciaima i *o 3, whsreliV 
said ©;«;etfOplating laysf campmif$ nickot and snanganss?;. 

1?, A plaisd s;sal si^sst as eiaiiTisci sn any om of Claims 1 So 3, ^ft?n$f©if?; 

IS. A piatsd stss; siiasS as cissme-d In any ono ot Clsiiifja s to 3= wh&-^jln; 
ss said ftieiitf&pi&tiftg iaysf cdmpfsss$ mafiga«0s« arsd cmcmtum, 

1§. A plated stssS shsst ss ciaimsd m my nm of GSsims 1 to 3, wfesm; 
said «lecl!-opla8«9 Ssysr cefTsprisss iro«, cobalt sndftickgf. 

SS, A platecl sts^i gteet as ciaimod in^ny one of CIssTRS 1 to 3. whes#sn; 

said ^trspialirsg fey$r sompf f^s; ifon, msngamse ^anti ehroft^siim , 

ssfd el«ct?oplat!ng Says? <»mpftes:3 srsn, fjickelafid chrarakfrn. 

28, A pIsfeKl stsei §hgot as dsSmed ir> arty one of Cissms 1 to 3, SKhe^^jn: 

sai^S eteroplalifig i^fm compffsss: fsickeS, m&rsgsness ant? ehromfem. 



m 
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the sect^sf isy posicy, artd rs istTsctis {nerajv^ The computer 
system having aj-s ofssraBng system aoh«fing to an 
access contrd sscunty mechanism. Such sysJsa'ss 
sncsude Qov&-'nm&ri\ sysTSfns vvhsfsin s hierarchy of 
■secunh' isassiSicaston levels are ostsn-sc (s.g: , top 





2 



1 ) J\< tn 



ncisjssa userQ pjo&?ssefS fs-o^ams to. example 
a>)«cls ar? tr!« fscspsstits of st bjsct adjoo si as 

Ills, 

vioHiiw s®(Sk.!scert^*sf systsm access fates 

rid -Nf^T f> ^ 
0 -Sen -^i 1 ! <: r><r !. <^ s *■ <. n 



Hp <. >K ft uh \ 

" jehe l<->tifx x^>s'5u ^ f*^i, w 

5 -it a !> fSta S t 5 ■> V fJli ^ 



^ Ur^er fnaf?da!ory acc&si; cont:oi. every siibject and 

if ?h ^^ g 

vc-ts a Of vv! t r c a S '^-^-i on y>s>»tr 

s ^p(C3i!y h 8 Si h!CS!i i^viu in a is tsv -t^ 

iVoisJsH fet a s«b ect to sead oteioe! st b- 
8<S s tivtty )^ tns^ dorrsnaife tse s^sect s s>«tB. 

ec|uaj <o or exceeds ^^he dassif 'ca^ o •< of t"^ obis'- Ssrr 

3* V 'xJej fO! a St Jjject to «ts *8 'o c^jsc* Jh«: u ssject's 
semjj-Vijy !wi oi.'ss ^ ^ ai to c ses? t "s-^o *hf^ <■ "s- 
tfwty!ws!oft"^eci,^«» Ox ny f<50t 

ff«'e'> eac f vsjf?^ c ti\ n tt > ><i k* 



comectsd «tt!>o-««» mS easy fe-^ots aa,ess a?^ 

$^s^N^ t i y eou ivf m{> of»<«fi-i 
Of^mer r itn d t? j *- o edefem ed 



fi>^i 
H f}i 



vit gppf v<Jt(Of? ;a ^ dai^se) «ftiher on the 5»e}r;j sys 
ietrofOoa«o^8>'%> st^m'iisnetssorH Tts success 

■>e tr"* s^n^ s's odsi pgrm'- two vs>«jy com(yi!inii,«« on 

avCOftJiTC! Jl/ {hS af^irsbo HU-«S5> o'«ro« s>^u:ty 

m^ch&mm. 



3 



4 



^f'cjwn c;:&gran i-;-i«t!Csiiy P^gure acces.^ to s 
'S'iouros Of 3 ssivice (ci.'isc.i! by a pfocsss {si^ject) 
iunning at s partscuia; sefistg^ti? Sevei is fsstficted to 
<^jec« ;-:ie;Tiofv n^iViPg tne same serssiiivity tevsl as 
tils? rftoussfccj p-ocess, n^,ndaiscJ by v-s s-r';-jss 

catiOn ss preckdsd: whsfs the Si-fcfsci srsi ihe si;j!5s:;t 

S&s, S8fv»«, Of !«jOi.;K.s, afJiS 4iC«it^ by oilier proc- 
esses wring ^\miOfi$ whicJ^ also desire to access 

AnoShsr techoscaS jsts^^mi sjrisss, f!o>.v<g^er. srf «)e 
prior srt systerrs of Figurfe 2 d6scr=bed bskjw whs?^ s 
pof t on a f eceivirig syslem rsn -^^ins c^>8ri for a siteten 
tisS psfiod erf tsrrfs St a pai imlm secui ity da*j!^ic-^t;cv^ 

and systens hsvir^g d>%r$r!t <;i§«:ances {rom acc«ss- 
ths ss!Ti8 rssouics, whsrs a port s-sas airsady be«n 
<^ft«sd snd remains open usxier s Merent cte^rsce 
Since a par} n«>-nb«r Is uf>iQue is a reeso'ce or {hird 
perSjr system beir?§ aeoessedv the awaMHy of thai 
parliaiiar port j^scttseiy preeiydes g^her users or sys- 
tems «*tf) ditfersftt dMf&oess feom acesssiog Sie third 
^rSy rssoijrce. This etfectisf:^ fi@t>da-s the resaujce 
ynstfsifeki^e g^Sicates cpera8rt§ at difJer^ sesM- 
rijyietfete 

AccoixSirs^iiy. thsfs a twed ior sy^ms sfjd meth- 
<2ds prcn,'kl!fig access to resources operating at rtniipJs 
s&curity fei'sis. Such systems sod methods tnust be 
trsns^sarsm tp procss-ses having dtSa-es^t sscyrity elae- 
sisication isvsie. 

As-i additionei pjs^em mm cistsnt rrsyitisevsJ tfo^ 
syster-s i$ security vioisitiong tEWs imerievsi sigmi 
cKsnf^ei comftuipicafioi'is between associated systei« 
pofts Of c&vstt ofBoneSs. A covert chspnei iS »n iofot- 
maiisn pstH ^st ss not Oi'dinahiy yssd ^or cO'-nrfiunsca - 
ti&o >o s eyst;em sod thus is ml p:-o;iK.t;Ki by »?« 
sy&ters's rsormai s&currty mechani&TiS' T?x;S, there ss. a 
eecfst way to comftitirticate (rtofmation to another pet ■ 
$an or p! ogram ^rs vioiatfon <jf security pfotocoi. The co^ ■ 
art chsr"inei$ convey infofmstson by changes in stats 
altj'ibunes or by changes in system perHormaoce or tiju- 
ifig By nwnitoriiig attsibate thsnges ^or stored data 8«d 
syst«ifr. tin-sing, coniicis-ntiai infcrfii&Jion sriay be tnierrsd. 
Data d'safSCis'iistiCi- sucn ;^i?ss;5lO> isngtir tfs- 
qijency, and d«s;i;-is-;&f- i^isy «r-yS':'-Sr-i Uor-^. anaiysss 
0! rtaia tf^^ic !>v .;in !i"!Sn.rf<;-; -y 'x-r ..-v-'t havsi-sg a 
iov^-'i^j cia^iSificaisof! on ihi; -iu-^ie iyyii^m ^fJii^^ tech- 
jsiqyes ^-jch s-.s a-vett cifanfji?! afialy&i^. jjaddir-g fties- 
to disouiso ih-jii- ikctual ot?afactsifS5iC5, or i>y 
sending fjoise of spuiiout- rneesages. However, euotr 
HJSisiswfss do nol gygfarstset^atg soctirfty. 

Accordinsiiy, ^leca Se a oeed ler systert^s sfst srieih- 
cds to prevent data access in viotatson of sacuf ity prcrto- 



■>:^ to fXSils hevsfUj a dOf-i!n«nt c!a«;i;jc.;iii:y; m a •-fujii!- 
ssGority ievs^ computer sy&tsfi;!. Such sysTt-fPS* ttnd 
methods rtjust seoare access to tfse dominant port to 
prntsct attdbi.se intormafe from corrprcsrfise to an 

mmMAm of ti-ss t^vEr'^itON 

T>ts invsmson is <Msrted w oiaims i< 2, 5. ? and 8< 

.H.O'Mdsuc; ■& li-s psesssn^ invention, muitiisve! 
tfusiiXi syste-T's assocss-s mu!t(pi&5:iOrt Sf)d|;50ir!t$ with a 
i5sf!gis idenijtier code !Jx;iC3t(on or esfn® Uss ot a single 
ideniiSiCSiicn to assosiMe miiiuose ps^rt sndpoints sf?a- 
fctes p-cviSiOf^ Oi a escurity check ^vtxcn i-;i;i;-~. if-ler-enti- 
pcint ccstr^TJurs^Ciaw wr^en the e!xi;x.'nv> :j>e nj;tnf:i 
associated with a comrnorj identsJief co-de ^'-e^^^o^: 

irster!8s.'«i§ coft?;Ts.inii^5t!on sjrg diftsinis^^ed, 
-s« According to the present jm'sntior?, uss prsviieges 
to? third psjty con>rtaini:;ation at s seieoTsd netwofit 
ievai ars a-Sijn^ativeiy graced a; mi-iitipla ^ecitied lev- 
sis. This is benetsoai as ^ per mirs dirac; and onsinodif led 
ai:pfisaScn <^«fgtior! at desired mtstijae isifeis, p«rmit- 
2£ ^rs§ meteietfol tru^sd sy^em sp^ston vsf«hout af^iica- 

AesoESiteg ^s presset irrs^er^iorSi a computer sys- 
l8m ewfB'fS^ a mgK^iise-rsac^ble program $mm^ 
d«tfica ersteSyins a pfogfsa? oi &is&uefe)nfs «>fecuta&!e 
by th§ Pfiact^ifne to peiferm ^ti^od st^ in a fiiylille^'el 
tasted system estat^lshing a ft^uSiieyes port to eria- 
bte mui^e, si^arvisaiiy cssncisrent resource access- 

m 

Accofdif^ tothe p(&s&ft invaotion, a costipotat sys- 

35 tern cosrpf ie«S <^ratit^ system Kat ne! syj^ting a 
myitiles^ei access cmltol ssiiydty rneshasissa^ for crat- 
ing m <^ect access paf*o« cct^ii^rising an internet pro- 
tosaf {)P) f)e«u^er «nciycii-n« a oestifiatiyn ;:.0!:i^et !iavii~ig a 
rtiaofisne address ajxt a uni«^;>? pof? demitief, a pert 

-'0 identitis'' conpiisino a porr number spe&fying a 
sesoijjce or ot;e<::t afici a 'sensitiviiy iabel ^Of f:n f!-LN;i:es 
<K:-ntfOi ^-.eaifiiy piotoco! Acoosding to tne pa-aerit 
invention a o-isfaiity pocei^ae?. au? ci-!?!i-i.x5 of> a des- 
tsfudion ;5v%.l-ii";i ri ?t ^.ingki i.;?l$«<Ki pod ni.:f?^jsi' a 

■!? ss-ecisd .-n;q.,.e tsniiti-.'sty iabal, pffimming sesouioe 
arid object acc--?s.?< by rnust.pie iKess in a n-«.iS;;levai 
access ccntiol sys;%m to a ssiscial porj acc&roing to a 
sssected secunty ixiiscy 

AccoE^tit^g io ibe i-!-!t>ihixi ct nivention, ir.acr-doa 

so readable code iX-'sna nxiS^pii;- if:r>iancf-a oi a sei&cfed 
epjiiicasiort. both ;i^sissftc<;'f: bavincj ih?- sams port 
address a?xt a s«wat5- ix-f^nvrty sabei 

Accoedft}gts>thepfeserEtinveaf5on.multipisieti.Vv."K 
er5dpoints having the mm port numbef b.it aepasate 

5S ax.y sy ^.-eejiffcatsc-t? itiix-ia .3(0 e'itjibsisht.x' ces nt; 
ooriteftJporsEieous prccesa pofi aooi^'i-s aocofdsng to a 
COitjrfsjn post mir1■s0^^f wi-iiie 'stiii adiifcimg to Sse system 
secunty poficy. As many poi ts nisy bs qsm wHh tie 



ffcat^s «5«d by ihs systsm sccsss cmj<3\ security 
protocol 

BBfSF DESCBSPTiON OF W£ DRAWiHSS 

Fiours^ ! « a fcfotkd^aciis;-;-! c;? a muii lev?^! trusted 

p!)6dst$;p-^i!i<KS secuiity isv^is accorcs:nc! to She 
pdof aft: 

$>i:i*r--i accc-ni-ing iQ ti-»> piiO! aft m «vh(r;i a ci-HSa- 
gf;^r:i Of •T-.isJ'iag^: p^i>,^^^^i f^: ;;:x!?!-f:u!!;;a\-w !,i''v,s ■\ ■ 

!":i)uf«- o a s inkick diagfa^^ s ssscuirtj sy5,tftm 
accGrding to th» pno?' art; 

;g!,!f<? 4 "i a <:5;agfarn v m nmmi system act»st3* 
ing to trie i^rsser?; snvsr^tiori; 
Figure S 3 flow <gagram of muJ^svef tetsd sys- 
tem qjeratSon sscasofding to ihs present iwsntjon; 
m6 

Figijrs e Is a diagram Sff a muH(!e\?sl ttv&t@d system 
p!OC«ss!iig s c«ms«umcs5lions packet sccofding to 

Dsmitm sescsiPTimj of a best mods of 

Rggre 2 is a fioss dia^Wi Of a pftof &ft «y$igm 
er??3byi«8 access contsxsl securty meeNtoiSitis. 
pay^y spji^icsfef^a rsquife s verifsestiort ittm a 
r&rnots stird f^fty cxsT^iitsr systm AiSarnsisyeiy, 
iisens« vgf ifscation rmy be i^jsct in st pfocsss 
atifig Oil th& Sssn-!« systsm as {h« ptocess in which th,§ 
s,cp!!C8tls>n is funj-isnQ Onc« se-s apfsJioJlion is tfsstaoit- 
ats-cs &n a f:f$| opesalirsg systetr^, it way dstsfmins thai 
oofmiyniC^-jtiOr^ witi-i Sf^ (ioi&cx pfacess. is rsiqyired. Tl:>« 
K&f!i5-I 0!-! tns first $ysto?i-i accofCi-igiy er««*^ S » 
$o*$t. Sif>;^ cofistfucta 8 a ccsfirnurxiaiiisifts pacfs&t, 
in<;!>.!C!ing sr; appjopdats Jisad^r. s !T5achir*s addfess, a 
pC'rt fjuo^ber. snd s p^05?xoi tdsf^rfler, attaches iu a 
data a.!id a ssnsiiivity isb^i continuing ttse dsatSfsce ot 
iiis process ufxier whiC^^ tti« appiication j$ ti^nriing. snci 
irarisrnit^ "^S throtjgh socket a data packet ove? a 
eaieci«d eisctrorjic corwuinicatsoria medium 

An irstsrngt profccol iiP) hea.1«f fyrjicaiiy conlatns 
sourc« syste;^ infeiimtion for iiis sysisrn oriQinafcr-g 
co!ifiaiuntcat!sn s^'ki sn^orsT^atiOf^ isgsrdiriQ the d&Siii-ia- 

h-&m at liia source ssxi th® desfenssos-! ftOf^-iputefs. ths 

cU'-'f!^^ Ji'c s -.'ft-jN } fi>vd>\ ^5-0 i'o vo c , 
TCP/iP, Of UDP''Pi ly «.iiic?-i th.? tvx'o co!T$;!.uers 
cemrixifiicatd' Pc;ftf?^!fn;>s;r-iOJ actif«sse^ <de'i;ijy appSi- 
ca8ot) Of sutoiat^. -ursfiinti o(! a ci^ant corsiput^r , and th® 
a5^icat*or> obsed « rssousfca to tss accessijd m a d<es- 
tioato maohifta stjch as a iiear^se vgri^ieafion program 
on a rsr?K)te mactiit^a t3 or sarvef. 



data ara ssactrOTcally cojvfr;'„r!>catu^ i--^ if on t?->a 
source systerrs. itirougb a soc^iset ^adooin ^O' rec&ipt ? 
by a destinatiof^ sarver. Th$ os-itinaticn karfwi ■ 
mifies «t,^sth8!- a requesrsci jxiil 's ava:iab!^ 20 :f tf^e 
iXTt !S avaSaois ^.a., not vat ossnad), tte rsquastsd 

- c^f^s^uf^ oate itt-» 

!fOp»Sd 



3S. possifty mh a fKsggth 
bisrif) fw';} t*--? §->., c St*; v8: T'^-i ;>;^!f•■^ f: ai.s.fti- 
catiOf! -n";. 5 'iX;^;. ■^:t fo; ti,vo way co^r^-iorvcs^QVi 
t-.'Avai^'- n a.jv'-Cxf tyat^-f!-! asxJ -s dasisnatsop ^.ysiefj^i 
u?xisr an access cootroi sacwrity m«cnar?isrf!. 

s i-^iat'f.: -i i:if-.xa^-:.;-d the oiHtsfV^tion sysfai-: 
qiarjs 22 s> ;X''-* ^.-ifv,-; :>:a5;a!aiJ t6 a -cpiv ■56 and an i'-' 
hsadef fcf -^^-f f-^iy Afj -r Sransrst^x'sty iciSa i.>: «!a yfoc 
ass uncis* wi-!ich th<5 cbsact apoi;cation .a ui^fitn^ js 
a<-^it:orsaity atJaCshsd 2d tc ti->s -apiy Ursdar rt^ardatofy 
accass cor^pei, tna saris- vity isba* Tiust eofJtair; i-r^s 
sarfie security c^asss^fcatson of ih^ r^uast of the ofi^;- 
nating system. The rspiy ^isckei ts fi^f tsar ssn; 26 to li^a 
origftiafet^ ssrvsi-, wipers tt^« ^Bckei ss tmppsd 2S by -ha 
source kene! arid inspected 30 pursysrst to tt^« secufsty 
protocol hf that systervt. Jf lt)s ropty pas^et is not pro- 
vidss atihe ssttw sscurily l«*/e! as Sves ori^naf rac^^, 
the padtet is dsx^ed 32. CSIbejvsfise, lbs p&<to! is 
pss8d-ors 34 to tse j^^ting aji^icate. 

Figm 3 sl^wss s rfiuigisya! trystsd system accord- 
ing to ths pfio? 8ft iiic^uditig fir^ throi^h lo»ftb 
instaricas d ttfe saaie s^asSad ^piication 40 rannirig 
oj»iaifrar«!y. The aj:?)ii<sito instaftcas of a 
«ppiicatiCKiarsra^^i^ve processes 4Sa - 4Sd. Each of 
prwssses 4Ks ~ 4gd is ass^j-sad a particuSar ssoijs ity 
ciassffica^oti. msi mch process harsdies cotinnu*nica- 
lion between ap?>i!cat)oa 40 and ksrnef 44. Tt?s 
assigaed saeyf!t>< cisi^ii^siiort, a^y ba a prad«ter- 
aii«ad ciasrartce isv«t i^saLKi ugo-'i tiia idas^y of a usaf 
or a tisar cataoc5!>' oi a ^.-y? os iiij^^icatsc-r'?, for SKaa^ia, 
«af nai 44 controis s.-iptit output fuocBoris. fTiamor y, pr oc^- 



as »'->'acts 'jefViCt-n ;^ '^vta'^as Sfjs-'i.cacijou vonrjfK^- 

sixausoss a sacsji ify pf ocass 50 ensuring That aacli p~oc- 

hsvinci .a ss";:uu») cia.'iSit!;;ai;cr! -on?.fS^e": Witii a irjf*<ia- 
Unro'-ti-ci S'K:iju!y fXiifCy AcccsJi^x; io a iViariCiatory 
:ir<:as.s CiTii'-feoS i^'■'■^C■! svitsr^rf, a>'-;f-"pta, s-K.uu*y 
;> -•x.(^'>-5 ^•t) ans.ui a; t" at pioaes.s-?':. 4:;a 4:?d -v-y iX.<>-;- 
fTfursscat^ With reaoi-'fcas at ti"5a sa.^-ia ^sao^j' ity ctay^; ■ 
ficam as the conaspondiDg proc^ ol ap|;^stBtfon 40 
M MAC oS^cis see accordin^y Sabei^ wiSb a sacur-ty 
iabei sshich is used Jor cm^myj^calior^ pacHsts 
trava^rsg featma tba as^icstioft proc^ mi the 
rasouEca v«th v^tiscb It hss message tragic. 

Figiire 4 shows a ftustisuser, muM^^&i source 
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invention, sAfhsch is r:eiwo:K?<i 1c a second cornpufef 
•sys;$;n S4 through « coniiriL-nicsti^-i ^s^vo!■k 5S. ss^d} 
ssthe interitet. a Sypioai configuration, severs! uss's 
sre ^-iS-PA'orKsd into a -server Source trsJsJed compufef 5 
syssei';^ 50 ir^cksdes a network incsiidttig s pSyttSfiiy of 
vvcjrkststions 56a-5&, serve!- 68, and a gssew&y 

61 ;■:>:■ sloiiiiQ a Kert-ifji (not sixiw;-;). Ths Sf5<;o?x> conpu- 
|iSf sys^esfi 5* iociydiK! a f-r-smory 6J fo:- sionng s Ks^'f'is; 
Fcsf iHcorfjjfig messsg&s, a secuiity inspeciiion is p€i- 
iDj-mecJ on incoro!r''4s pastets i;sy ksasne! fsxH showo) 
of gst&wsy >sefv$r 60. A fec:eK«;Ki i;H3Ci<s-1 passixl snto 
source t^usta^i oo^putet rsvit-j^n 50 or>:> al-if; r; r ;5%. 
been dstamsnsd thatthsoacKel has satis^ias the secu- 
fity protocois Qi the soufC<; trusie?; corrsputei sysfem 50 
li-i & n-suiStevei tiustsd system mrtq a rnanda&ry access 
control ssGurity psotood, for exstHs^e. the keroei of $0 
sosjrss irustsd softpytsr syst^ SO erssurss that the 

ss tte mm m er hl§he«-ite tse sensitivity fabei sS the 
dgstinstioji process or pan de^mtion of coa^utsr sys- 
tmr, §4 to which thss pas^ is addressed, if pastel gs 
sscuf it>' ciass^icatiori is not the same as o? hi^er ten 
the seeuiity cfessificatiors dsstinatfon port, then Jhg 
psskst is discsrcsed ffOfi-( iufthgr pfoc&ssiog. Message 
packets sfs seat thrcsogh a 04 ot a oetvifOi'k 
iit&ffacs csfii {aot shown) over a seisctsd trafWiissim s§ 
mediUTfi S£ fcifmeci of a coppef wifs. a fi^mt w&s itnK, a 
rt-sterossfavs or 3 r«d)a bfoadcsst tfansmissksrs link, 
Th& s«sieolsd Hnk with destination conpytsr system S4 
may be <;iis:CMy !hra<Qh 3 i-,AN conti^iCtion. a 
phone ssi*, or tndirectiy SiJCh ss thfough the tmsmet 3$ 
ijpon rsaciisrsg the dsssir^SBon cofriputst sysl<3f>^ server, 
ths mgsssge sisackst irnerc^ed by r^s se? vei km nei 
^not ^own), Shoisld the de^ination 5«rv«r e^-npsoy- an 
OSl intsir^cs, ttsg massage packat is pretef«!:sy ana- 
Syzed at the to-f^est software levei of tt^e CS: stack i..; 
ensuring that rhs ketnei e>;amine3 ti->e subeismssi^s oi 

ir; ons- errsbfXJiJ^ient each wori^staijon SS couyie^ 
through 3 fr.<xJ§fn 6^- \o the toi^rnat S5, srso' includes a 
K6; n§! that p&'-fornis 3e5;unty 

Figure 5 is a f io^v disgrasTs of a method for estabiish- 
ifig mLiitiie^'-gs ports acccrdiog to the pres&nt snve'-rSion in 
whicii a requssSioci sppiication ri.irs on & f»st data 
processing nod& 45 ii.e., yactvne 0ns). A seix>rxi data 
processing sxids S6 {i.e . tylachin;^ Tv^ei sf^ckidsss a pin- .w 
raiity ot ports iiss;x,;?;:«1 mt\ pre-iSSiSfrr-in^Hii 3«s;i)!i{y 
<.i&s3!t!cat!0f?s AcoofC!""i9 to ttje- p!ejf:nt !rv-r:;;Dn, 
?wlachinie Om runs 68 a ssiscted apf;;'ticatior^ which 
sstaiSlishes its security iw^i cons^-jtent mr^i the 
SSSKfity dsat&ftc«s of user. Wtji^n the i^iU^stJon 
being mn caiis a rasousics ot select at aroiher dsta 
ptocs&sifig nods, th& locai msdiir^s Ksrn^ op«rts TQ a 
SGCtet to t5S other rssounie or ot^sct kx vfhk^ a mes- 



SiHse awtysng a fxM-vie^-: u-quest csn t;-? niade Tix: 
socket identifies the Ps-stination rr^aciiine. a port riurjifcer 
eo?Tsspori--3in;5 so ii-!a appiscatior; progs-am ijeir-10 rtin. 

Ce-i: > ! -Utii:- i. =>D^3 ^0- 'fef- 

isvei for the assooiaisd port nun-tsef opened by the ker- 
ri-5i Thi' Ksi '^e: fuirsher chaeks to see sf the requested 
pen m ssvamsbie 74 at Srat security i&M, It that pofi 

i^? g , iiOv'S-^ ! us-M 5 tnr- haioss waits ?6 for a pre- 
«et^ - 5 s<i.; ; u ^ v m > otir-ip k Oi'M-^'^y mf^ ft it'e 
pariscuiar ss^uriiy ifsvai ss avai!ai>i« fer the port: mirfibgf. 
Oii ths oth€f .hand, if ttse fsartisutar poj'i nurribfex and 
ss. . i . ^- '<„-(-, ?wt:> !5 a<.ast!!"X' -'.^t^xJ! 
riel con-ipinss5 ths s;K:urrty level and poft oumtser to Cf«- 

nufT-ber af?d secuiity iabs^ co5i--Pin«tie!i into ttii,^ protocol 
spaces of the iP header riO-rrj-iaiiy received for tust the 
pert rsunissf. The rvsessage pad<,et is ccs-spieted by 
atfac Jog «2 sf^ticatier! ^ecific data am isilorn^tien 
ints prsste*ffis«^ ri^t^s of iP headss: to oraata a 
eom^ats datagi^m. Th© co«^«t^ datagram i^<^8t is 
k^tmmdM fer stg<Sfsois i^mfmjmiCiaSioo and 
ssfst to ti» <^$slsfsation awsr sa 

%6 opara&tQ syst«ft^ kern§i 8S 0! data processing 
r«do 86 it^ere^ts 8S titt packet from Mashios 0ns 
a«d j^camirtss ® jN^ stfo^mrsants of S?g |sads&t fe 
extract ths pott idSfttSfiSf. One« the port oymhe and 
sgc«r!ty !a&8^ t^ve bmn ®ctfsc*8d, ihs ksfrsst dster- 
msi^ vsff^^w^e f guested pott at the spedfiecs secu- 
rity ievsl is la qsm status, snd if sa whether it is 
pmsst% avaMs^ for access, if the port is unavaiia- 
iM in tsat the comt^s-sed port jUiotJsr ai-Ki sensitiviiy 
iab«i is irs uss Oy aoote aj^jiscaiioo, thasr; the speratson 
terrrtiriatss 93. If the {>ot-t svaiia^se, appSice!>ie dsta 
ffoet ttw messstg? i255o!<gt is transteired 34 tti the spp^li- 
cations ppri-on of the ssjpficabk! cperstii-iji 3>'S't;Ji"ft stacK 
oi c!3ta yrc-cesairig r;ode 8$ !pf sfjjCiiicatiOt^ procesaincj. 
After data is provided to the sppiication, ari apoifcsfcis 
rapiy :s piepaa'd 9& as apc^CH^nete. i-pi:i;cuUa 
!P headei' is attacf '<5ct 98 to ttje ;epiy rr-ess&ae wtsioh is 
preparsd Ttse rapty rriessage ii^ tors^iatie'J tOO tor 
packet fr3nsrv-;;Suiofi ovsi an eieotroi^K; r->et-wofk. and 
serit to first P&ta prooessii"^ iiude 45. 

The Kernei ot ti;-st data processing rvxi* 45 inter- 
cepts ;02 ti-se .%opi;ca&:e repsy pscKet and s.samii--ss the 
{>ad^et to verity 104 ti'ssi the fis^iy rris^ss^-ge iiss i>sen 
provided a? ssme s>?cijr(Sy ievet as the rippiicai^ie 
ap^iiicstior- prcjcess is funn;i-;0 in data pfCK:esf.«-)g ■x-.^ds 
44. it m& ssci.:riiy i<5veis th<s kxnti piocftss .urxi the 
f^^t^x^ii^ mess^giS recoivrjfri ere the safPS. the repiy is 
psss>Kt :06 to th« appiicatiOii -for pfixes-sjri.^ if §1$ r^fy 
:S St a seoufity ii^v.<;i iiicoiisistent w:th ;he -jecudty Isvef 
of an 4i|;>f;ji(0iifc)te io'Cii^ appticaixio, tin f epiy ps^t Is te- 
rnsriated artd, it spjficai^^e, a riggaiivs acknpwisdgms«t 
is sent 10s to the sec:ond data processing node m. 
ASthough tte rapiy packet eJcasttiftatiOfi show?? in Fig, 5 
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;rs5i<..:ii<hsi ihsi th-s siosuittv' isve^i oi ti-i^ f•^f;■iy pr:;;sei ist^is 
sasv-s or e<:u:v5ilsnt to the s&cL» ity ievsi oi the ajLipika- 
tion proc-sss, acccsd!f;g to ths- preseoS mvsniiort.. fn© 
fsply pacMt n;ay nsve a iowef ^sciifity isvei ff the feply 
psckeS i& tc bs ! sad by she appiicaifcn. Any sccsss con- 
tfois s-i.ay t<6 u;sed fc:' fscsipt messsgs packets so 
i£s-i<5 as tn-s coi'isroS is. coftS!S-5$rt> Wiih the syafenVs secu- 
rsty osiiey: 

Figsji? 6 shows a :ii§thC'd accosdirsg thfi presesii 

■x:<55:$. In pas iiiiuisir. an inco-rssfv;; pa:;k«l S6-. is. -ihowi 
intttK;<=pUJ;3 HO by a cJestsnsi-io;- ;i>'5;->5:n ;5 cpiiiiiVng 

sink 8!id nstwof'k isvefe csf fris kernssi in!«tfecs <^>«:i>rd:ng 
s:>-5ts«; intesfece 66. ^hy sp h<s«cS4;:- eiij-nef^i ^12 oi 
pacKet SSr e>!air!in-Ki am jhsj yo- i :-\:nx:"3r a^xi th.? 

chsd<s to d«t$r;T!ine If the rsquftstet^ ^y^n m^'ta^ 
alrssdy op«f> 116. if not, ths ■■equestsc 5X)!t iS iX^ensd 
1 1S s.i ths sscyrity is'/el irvdicaisci by the ssecunty laOel, 
Activilj«s f&r ojjsning & poft at a particui&r sscurity 
srs ioggsd 123 ts pia<M?, s journai or histtay of th& 
activity to ^Jrovscis s ciatsfcase oi ssctir^ i«V8!s 
whfeh arg press«t!y open fa- pacteSar port r^frSsers. A 
dscisiort is ms^e iso whSithiV to p&ss *6 paekgt to a 
socas ap5Siii:sSio«, g oii osKsf protocol requirsmortts hav® 
J5s«n ^fe}i«c3, the data is pass^ to tJse s^'i^EtiOf^ 
proem 86" ibr handiing and e®i^ssiori . If all <^h8r ps^- 
toco! requis 8fft8f>ts tiavg not imn satisfied, the pai^et 
isdroppgfij 11)8 

ii a !-$gistsr«d p&x mmb&t rsquested is aiready 
open 1 1S, trss opsraiing system Kermi dfitsrmines 124 
whsttssr sacrs o?>sn«c! port »s ai th« sscurily issfsl spscS- 
fj«d by ths p<s1 idsf?t!}:e{"s ssc^snty !ab«l. if not, tnsn a 
nw jX'it iiaviog th« S3«^s ni(n'*>ef as \h& m^i^g part is 
opsnaci 1 18 al 8is !d«njiiiisci sscunty isvoi. The s^w-sg 
of ths ooji is iisggoo t.?S to .cviniii ihe sstsvstyv as 
dess3ii3§d atsovc--. if tix=i emX-^-^g cii^^n por; is at the ssm« 
security isy&l as identified in the port idsntifiej' subsie- 
nient. then it i« dsterrriinat 1£6 vst!«itier tfse ixsil ss irt 

li the port is prssefiiiy in ose. ttwr; a majxiatory 
access «>';src>i pfptocoi ;ye<;-.!uc'4:s; opi?. -Ing a'iOthsr post 
at ttse safne nunjb^'r afsp ;H;cj::ty iev^i i;-e!ng opened 
Consequgntiy. a pactei i-3 e-tb&- biiff^red 1SS and 
ct^sdted p«naiiGaiiy ynti; s pra-dsfinsd time-out 138 
occurs, causing packet process termination or the 
packet is taminasecs 10S in^sri^disseiy. or mm the poft 
t;iK.O!vies ijrtijsed 124, 125 :f &n ffi>en pan is s^if tc a 
ixiimci secufiiy levd cwl not cs.i!yss% in use 126, ti^-m 
tf-ii? pori sciiVity :s io^gea and a de^sston is msKse 12{! 
wt!»tt?ef or not to pass itte packet, ali cttfsr ssci;ii;y 
cdtigfm ss fnet. -ho paci-:et is forwarded for appiscafjon 
pfoesssing. 

Accprding to the pfsses^s inveni:on, a oompuisf sys- 
tem f>aviif^§ an opsragng systeni «dh;5!ing to s«!i8Ctt=d 
access corSfsS sacortty fsjeotrnfjisni inciodss govetn- 
mert syste??B vst^&'Sin a Nararchy ot secunty oSassifios- 



tian tovfete sk; <i;^^in:^^:i ^■^c■., icp stKiteJ. s;-K;i-:Jt. 
classified, linciassified;. and cor-^fnefciai sysiesrs ^o^- 
p;;jfposss of this appiicsSbn, ssnsitiyiiy iafc^is piifsisant 
to an access controi s8CLifit>- n-;&chanisf^? inciudss at 

5 least hiefarchica! secodty oiassSications, as descrlised 
?.l;<VvSi ?,rid ^-Jsy inciuds no:-:-hi«r£rchicsi oate^prise or 
(jompsrtmsnts. For sxas^irJis. these categories may 
f&fsr to vsfious piani silss accortii!^ Is particuisr dsffio- 
Srstpiiics, product typas, ss wei! as sasegoriss deiiitsd 

f;; Oy cjxsps-furiciiona; bouf«sir!ss Sijch as accoijoiing, 
pifciic relations, rrsarksfeog, sjxjinesring arsd R&D. Oan- 
soqusrniy. ar; srijjty i)Dklin« a parlisuiar security ciassifi- 
c«S:oo may no; aiaDfoatioaily tea clesrad fof all 
sfjformato) at that m ewy eates«Y- An as^lica- 

:f tion iost'sntsai'si -r. tr;e menxity pi the pooipuler systeo-! 
may require access to a shird party resou-ce Of obisct 
sithsr on ttie same systein or on a dstfergnt systan>- Tha 
Kstfisi. atts? datsf opining ttist the ussr -has pe; in^ss^on to 
d^and the rasoyfcs. generate; m >P headef ii^ pfspa- 

cv; m^n to commt^niiss^ng with rasourcs. The IP 
header itidiids® source a«d dssiistaiioo i-nachina idanii- 
f fcate mmtssfs, afsi port idf^isfiers. Tm port ides^if ier 
fer t48?^iftatf$n sy^erirt oomprisas g p<^t wrif^i^^et^^^ 
styjfiQ a panicufas' res<Xirc©< daf^jase. or ssrviea 

ss reQusstsd by the soufea appii<^tio«, ss^ a s&rtsivity 
labei. The swstivity fi^eS ificitides a sscydty dassSfica- 
Ijoo Of clearance cs? im pwcass i?^ which the jjp^iicate 
Is amrtlng, atxJ may isncUfiSe other inforo^stiw siK;h as 
category restrictJOfts The so»fce system H^rnei 

ss atla&ft^ any af^lica^on ciata to tfia reader create a 
datagram t* massage packet, TJte sourca ey^em ker- 
rs^ fur^er opans a conms^eaiiofis sq(^ and toa- 
mlts ths tessiftafit paic^et to a selected di^tinaifen 
syetatn. 

35 Xhs dasllnatsoo systaoi Hernei rsoaives, ihe g^ck&i 
sent mi anafysss ti& port idssntili^f in the pacitet 
hssd«f. if th§ r<K5imt^ sx«l nurrsij&r has, no; yet O&sn 
opeaed ®> the destination syste;ri. thi^ deslinaiion sys- 
tem Keffiei iauoches the r-^cjoestixi .iipijiicat:on ai a 

10 process sscurlsy les^e! consistsi'st w^th ti-ie security Isvel 
!Ci-?rniti<?d by tt)e ssn;5:t)vi$y iaixii m 'tie port ipeniitior in 
the j^itscket header {s a . a sai^;a iowif;- ciasS"!catx;n 
!sv-3i). Ttie prac-sss ro;^ n-ay -fu: ttisf bs oi;alined by a cat- 
sgoty daL-;gnator carfy-ig il-^a secuisty labal o- -hie 

-fs source systsnt pacl-ret estabiishlncj iv-ultipie pcJts st rhe 
santa pcvl nuniher a-xi dearsncs tor p!«ersnt catego- 
ries. i*3Ci<S:t exa-r-insHtiOi-i and reading occ^^rs according 
to one 9:-?^>od;m>ent ol ths present invei-stioi-i at a dests- 
i-iai-o:" aystan-i sasvei; at a gateway servar actij^g ss a 
■ Sii-eA'S; : aeiw*=en a d^tii^tion satver and a thi^d party 
syiism, o; at any serwsr irtt^natworksd wi^ the dssti- 
nation sefvaf, 

r-u: thar according to the preeervt invehtioa, any 
repuastS'd .sc-tis and 5s-;vicas sre pertsfmed. !f the Q\m- 

S5 sfice <3f an ctjjeoi p-'o<;;s$» is the s«ifne as the aoiifce 
pfocess c!earai>c8, the destinatioo systens keroeS era- 
ates a repiy psteket tot ttafpsnjiaaiof} to ttsa soitfce com- 
piser system. However, if tha dastjnation system kernei 
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d-JJs-irni-x-s -hi-j ihs? poft nujr-be:- is; 0;:>5?:i. bul \h&i \h$ 
■jgnsitivity i3):;si 3^soc.iSi»ci m\b she source 
^fD^Ti the sensitivity lat^e^ of She -X's^ned port U- 
tion sysS«!T ksroe; wtii oofen anotrtsf poit having She 
s&r^e iXirt r^ufnts'- a? a -JSjcii^itv dass^f (cation consistent 
w^th the sgf^3it;visy iab«i o? the soufce port dentiltef, 
Stmiiariy, should another inajming packet have a 
SDurcft por; idenlif ier tn its IP hesdsr !-5?Quss.t the opm- 
iiig os s thi-d inst.nnti«t)Of' of tM-j desfcnston pdsI at a 
ih:rd. diSISJ-enS sKunty ck-trwjt;«:t!Of', r-.s^ ^i:^iii-■v^*iO!■s 
systesT^SJ k$:;r;s; Sauf>:;h<?:> a ^-ttxi ifr5t-;!nt:.:;:ior- S!~:e 
ijpplscsiiOT"; puf rjuani ■•■> « p!(>-;5:s:> hiivirx; ,i -ii^ci.'nty ciiiH ■ 
cof!;j!5.U?nS wji;" the ii:-;v;,!iiviiy i o-f 'M: ii'mi 
port Kisf5tf?if5f. it ss cliKif tirs s$ many ifKSt^sntiStians sS an 
a^Sicatio^; fiavtog the i^asT-j pes; -^lioiie) (ray be 
cpensd. cs fufsni^s contstTtx-far-x-i^'jiy. «o vtess ans 
C'SSfe-^ioaton yv.'^i yof?Xvi! f a<.tilf-n^ <dct5> 
are us^l to cf«j??tg unique port ideniHjers, thefs tf)e 
nuf!ti«r of porfe hawrsg g comrrson pott rsumbsf 
m?ght ijs C!p&^^ conUmpammm^ is the sum isl the 
nijmb«roScatSQOi';&s. 

if a destination systsn> ksrne! detsfmij-sss 8?8t a 
port nui^iJjsr Is open si a partiaiiar dassification seve! or 
t(K- She ssn'!« s^Segory and is ^sn. ths dsstinalion sys- 
tem Kssmei passes the received pastel to en (^©^^ dee- 
tifisitort pmeess. mmim a destimSsm jscsfi has ths 
;^pf<5gj!'sals;e!assi?ieal!0fs le*!©! or me saraa sategety is 
pr«ssri{jy ocasjssed with g iscigtfSajsly res«ivsd request, 
tm <i8sUmte systati k^rtse! <k)m not pass 81$ 
rsceivfsd packet io sri ssso!Msgd destimlim prossss. 
iftstsad, the rgseiviog kertjeS may Mer th« fecesved 
packet until a process becomes ayaiial;^® at m acc^t- 
afcie security level or the kerne! may reject the packet 
An appf'SposSs responss massage my the« bs s^-st 
bscJ^ to tiie source systesf?. 

By wsy &f sx^str^fe wslhoul iij-nifation, an a^^iissliort 
insta!~>tiat<sd -ri tr;* op&~«li?-sg sysJsm ot a w^tJter 
fsqysf* access to an e>:t«:nU5i (esoufce fef !icertS$ vaJi- 
dgsi&!"i ot verfSicstion As a i^it-uit, the fecsivsti^ ^yum 
opersSing systesf! const; s datac-aiii of message 
pscHst coRWswg m IP :nc;uo:og source and 

pi'OSocGis and may attach a ifcersse v^siidssfton request 
associats*:i s'-'iti^! She gppSiCi^tson. A socket associated 
wish a so-ffce process inclocSes v=5 
a perl nu;-!->bS; iosnttyinc! a dessse'^^ 
license validation ssivice}. According to the p;esent 
snvemion. a new port idsnSiiis;- cot^-spn&es a port ntjrnber 
and a senSiSivih/ iabsS. Upon f&c^)pi of a massage datsa- 
gssn-: a packet by a recpfirtS iioense ssrvef. a fsceivjrtg 
ksiinfti exars^inss tS^& reoeiv<id rt>&ssag$ ecpordsns to 
recosvin^ :s,y4«efn six^s.ir.-ty ptotocoia Trse teceivirfg ker- 
nel tSetetm";s;i wheSher tiis f»ri d^sig-nateci by the 
rsceivsci inossage ax She pa;tiCi;iaf daesificasiors indf- 
<;sSe<l by ti^e u^nsitivtty i«Lx:! in the fn^^sg? heada' is 
<H)ett. }f the port at thst dasssficatsor* is f;ot iX!??''!. or is 
iinocci4SSci, ihenthe k^rset transfers ths r«;»iv«t mes- 
ssge padtet to a comri^unicatioris ntamger and opens a 



licsrising versficstion sKopi^csiiion in;5t;i:-:t;«i<Kt so a pjoe- 
sss at the itjdicated sscufity iafoel. if She licrt at the des- 
clasySication tjss already ije*^; Dosned 
(; g„ tno reauiretJ rasotjrcs in use by 
r usef at She ssrnfe security clat^iricstion). tbe 



is bufferad or dropped a 
may he cwinunicatet^ 



neptive sckno&i- 
< to tnescivce sys- 



tem. 



^^::!.:tos a 



Aco&fdins to the pr&seriE inv^ 
rj»n ;as;oent in th* feceivinjj sysae 

system secs-intj' prcSoO)! and da^^;•!rjjnes: whs-ii^v' So 
receive ar!iv;r.Q n-!«tu;agiJ patfets. and whesnef to csx-f) 
s por; ijt a ■e^u.Jsted seCijriSy iavoS, The s^ix.unty d;K:- 
r5»n :-5ccDr;tin{j to one SifjirsodimsK"; Cff the press-nt ;nvO!-!- 
tion SiOSifStes betxvsen an Open Systems 
SnlefCconeCvC^n .;0$'! data ■s^'^K iayef asKl Ofei net^vcrK. 

ssges, the socunty dcsooxjn ensures that the ke-fne! 
intei'Ceots arxi in5ip«c"s pacKeS J and ^^iS'^.^saoes tiave;?- 
ing Socsi interlaces "H-ie secxihty daes'^on sccciding to 
the pfeser^t invention scc-gsses indsviduai packet eie- 
mentsand sub-siiKViei^s oS the por- ideritSler. 

Accot^iog to the prsses-st inventjon, n-!uSSip!e systesr- 
sockets or snc^irSs havi!-^ the same port numfcer ar5d 
a iiftiqus se«si8v% sj s c^jsned is third party ap{>ii» 



Aithoy^ the irttfOfttim is si^lbed hrsirt in tmrts 
of prslsfred «fr*)ocfimsrjts, it is uf^Serstsod that aSsr 
hawjg reac! abovs desa-fptjon, vanoiss ait8jnatlv«s 

become ^s^sfit t& those persona sksSied in the sft. 
Fa axaftpie, securi^' isbeS need nos be associated 
with the port mrsim at me soufc-e server. A ccmpos^e 
pert itJsntifier aeoo«iing to the present ijwention, which 
cc»«j:»is«s both pcs-| snc* a secyrity iatsei. can 
b0 wstritctsd at a?^ time prior to Sie op^'mng of a 
sJsstryd;ioifJ port Accofdsngiy, sottssare ftxidjlicatisns at 
th0 sewree data processif^^ ftead noi include cojnbif-irsg 
tha seeyfity febe! with tt-se pan nunt?st. T?-;? port «urf)S>«! 
i-nay be associated mt^ the data in a Sransfr:ittai pa&Het, 
arvi con'sfciin^Ki A'ish 'r-e po^"- nun's!;;-?;' i^oidyi- So e-<an:i- 
i";«Sion i;;.y S;"- des-.;ina-icr; ssfvof kesns^: The yic-eenS 
invention sccordin^iy snoludos si'ie scope oi She 
sj^endsd ciaims a^fed ^ bfoadSy as the priw art vwi!! 
pern^ arjd^es^ic^tior! will permg^. 

CMms 

1 , A ccn-^ute; piogfam prodijcf coepriS!n§- 

a cO'inpu'Sftr ucaabls mediiim i^^y■ng :i comp;;- 
ter i'ljadabie prog'an; cocis ri)(K.S!anisn; eif sxKt ■ 
ic-d Si'iei'ein to; osnej^sing a pSuiaiiiy ot oc-Ss, 
sa:d ports »e:ng et^sociated with a covf-an 
pori nusribaf, eaQ^"i of s;?:<:i poflc hav;r;(5 a 
seisctad sefisitiv^y iabal, said pod, ritirtibe; ami 
ssid sansitiyity fst)«S definii-ig a se!«-a<xi poft 
identifier tor at ieast one ot saio pens, p&i-;^irs- 
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such as a mjcscpfoce&sor, sal s s«curs co-precessor 
protected »y « cococn, Th« cc-processar ss sonnscSed 





2 



vuss sr-d tij « n-;!:«i-KXi secu-s dataprocsssirig usittg a 
StfC't^T k5?y fcv nis^ans o* this intsgi^tsd circuit 

in »ie pay t<Mev;?ios-i- L\=?fiKfng, or any othsf 

ot :n-or.-\iat!c;n f & a secrat Kay T^is s<?cr$t K»y ss 

i>r.x«-S30f mi S;Of ,ici» s-;--^f '^rM kis t^:•^ ^ ns>, v-:-. j 
nty iS i>i;>!a!f:-M:i by rR-^^sfv^ jh«^ e-'iSift^ ;^-iK !>,);,■! o. ."^SvO' ■!■■;'! 

eii'GUiSs'y if? a sQco<ift, issbyrinfSi or Siicapsusasson whscn 
'^ay co'rjpns.*? !,.-ow4"\ js-xh^'K^ a-\1<'0! ^^e-ns.;' S-ow 

pie-L in \!>fVV sr. J ;:t^.;5 ^^^ «^^. t:i-o-ji!\- ;n tn? 

necttoas oet^vser* The mscfcpfocsssor mxi psrsphsraS 
ciKuir y esc" 0^ Tfis^se cj^nne^rons os^-'ig a pcssstss 
potm Gi a-lack sb; lirsau.'thoi'sssd pesscsis to cKJtain :nbf- 
ixMan \vhcr\ cao fcs lissd fifvding \M sscrsi tey. 
M&r«<!v&!-, ii iSis opershm of the o^cfepfooesw iS 

oi *s mias^fsc^sor contam srsfom^ioft which sm fe& 
tjssd fey «ftau!hmaed persons M derive m& seaei tey. 
i\ W!i5 b« cissr that as soon as ths sscts* Ksy hss i)8eti 
loitfKJ oy unsugioHssd psjwm, ihs soeutl^ of the sys- 
tem has teeso bfoken. 

Tfts inv§f58on etrris te provide ar^ fnte^ated circuit 
arsd sneJhcd ti^s a^ovs-msritoed lyp® with 

Accoixsiog to th» (iTvemson m is-st^gtatecs csrouil is 
provsdM co!Vipfis«,-ig logic cifCLiitry, pfsfgE«% a mfCfo- 
prxes^s, Sfx5 a s§cur« oo-p)oe«sssof protected by a 
mcm\ s&ci co-pso-sess-^! ij-smg conoecSiKi to ssjd 
logic ci!cu!iiy at ioasJ oy dsta iiOiis, cc- 
pC'Xessjsf cofi-pisss. a cfy£.-iOCi;'?iph!t. $r,gt:!!> iisxi a voi- 
stsls storage eiesTiersT fc: storing a secret Key 

in this tv^nm 'A!) ifne-g'^se*;! c.ifci«t sxoviCi-siS 

!r. a COCOOfs, vs'r::c.h in V!i5^<! the fern&.i xtcs c' Siis to 
ptQcessof sj«a r>C5jSiJ:««; a isiafcysiy ^&sy fns-.r!!-!at 
wifrs high sscijiitj All stosags aixl C!ypto§->iphiG im> 
tiom-- ai » conta-'ipd ^f^iihm the coccco, so tnat no pi^rt ot 
o:ypto-5)a;-jf"0 p!QO««rv iS vissbi? to sny axtei.-ai 
;■•v^an^ at j^oy sta^? ot ifc ■^■-.^iaton Ooiy m&ssacjss 
ifon-: th?- niK r->pt«rs-ssc) to h«! pros<ss$&d by the seci;: -.5 
co-p: co«'5,s':0i asxi pf'Xs^^sf ci roiissages &r& avajtes? cii 
ti)» dai=i snas. vsfi-iich infoif'i^itQrf hovswor pfsvid&s rso 
smormstlofi st si? rsgaiciirKi th^ a»c;f>?t !<ey \n thfs man- 
rse;- it i$ (mp<m^8 toi any jn-d paftv to ffftet Infer- 
ftmti'orf or* tf?? «i^:f!Sl i<av ^n an attsrfspt to bfM?5 the 
se&ynty. 

At iha 'S^iC'*:! kay ss. stot«id in a voiatiie storage 
man;, any anampt to access ^a aecure OG-pfOcsasof 



w)!! reswii ffi a ksss. ci 5;K.f >K K.^y s:;x h an aS-eftfit 
will be det&ctsid by the ccc^on t&an^ng :n a ^oss oi 
powa* and tt?ef^y in erasure of tiie secret l<ey 

Aecofldlfng to tie imvet>'bon s meif-iOd se^sj; a d«J ■ 
■5 spfCCSSsioQ is provided using a secrs! na-v, ^cmpi iSirnj 
the of loading Jh«> seoat i<ey in t?-;e stoiSi^s «-;a- 
nient send>rsg sncr.p'ta>2 inK^mation froiT, the rr^'O- 
psxJGessor to the a>-p!\>;i?ssof v;a the oata imes 
iogathar wifh oonlioi inforsr^fean i^^ng tha sana' ^«•y ;o 
-~ .:>x -yr; s«"tid iot&mwtion .i-s a^x-o asrfco ivan ;ns- <;<.■!■!*■• y 
matjon as ths? <.o-i;;!OC'?«<50!. as-sin^ rstKatsHg Vr-i 
diKrfypEiKi iOtofmatfOfX iisxJ o&ifig ths de>;rypted fofor- 
fnstion in gceo!da!x:e wfth tijs oontroi frifcjrraation. 

^ S ^ s > v ' t ' X " a*- 0 

0(Cmi acc-Oidint; xq fne inventscn ss shos*n in a vsfy 

By wav of a*<:an-ipse it wiii be assuiTisd tixst the ihte- 
gratasj ciicijit shoss.'!"! ss i^an c?i a srtBft «5rd uaetl in lha 
COOT! a^^.'\a access n^-'xiute C'f a dscocssi ay ?ta!t: fof pay 
teievssfon i-iowwef, tne iRvenfeon is certsiniy not 
>ast}(Ct«d !0 siich an aji^iisstkjn. On ti& wtrary, sh« 
swsntsot-i can &s used in a witfs arsa of ct^ti^'^hic 

ss The srttssf^ed cifotit soir^rises a rvsjcti^rocsseoj- 
t and a ses«rs coisxscsssor 2 mx?pmimA m a 
socoon 3 of secorify mr&& which rrsay iticiijdc pc*s«, 
^eyfid mmt mm mm. Th« s®c«fny mm 3 «r« 
indicated tsy u tine syrrwtcSifig scs»pf &ces- 

S!3 estf 2. is^ itte aetue! im&gf^ circuit tSie eo^p40ce^f 2 
wiii be cavgfsd sofe^amiaSV soopieteiy by tha sacutity 
ssires at at firjs tc^ and bottom sides it ss obsarvsd 
1t?af §ts terra cocotm ss i^ed in this spscsticatiGm can Ps 
a laJ:^inth, cav^ or encapsuisiiof-s of poxycr, sroijrxt 

ss i^MHss setose visrss or aostfjsf ac|iv« Oi- passsv^- ms«ns 
prs\?sn{iog access to th« co-pfocesso; Z 

l>!e co-procassc-r is xnnsicts)^ to other circijitfy 
oi the irte^fated ciic^iis, psf t^coi-^r ip a oipck ci'coii not 
^showo a?x! to jhe f!'!K.'.''X-fC5ca'jS0i 1 isy dock and data 
«nax 4. S The cc-psCfcesso" 2 con-$;nsss a crypto- 
gsaphic unit f a c<:>n5roi u-iit ? and u v„^.s-";5 ^,to>aga eis;- 

fSWni 8 atk"-:ng 5^ ^ieC'et i^ev Tho vryptO'Xai-n;>; unst 6 

co'''pi!H-s a c4Civv;t;on a^'uini:* {*, an a;.:;i-!ant!cat:C'n 
engine iO and prefaiabsv aiso an aacs-yption erigine It, 

-js Fudhai', the csvptogfafsnic unit 6 indtides a ana-way 
tursctan >c<;-\ ID to oad >M secrst i<sy into \h& sto'sga 
&;aaia--it a Po^vai constJsT^ption d Sts eiamsnta of the 
s<saB a co-pfrx-es?<Oi very tovs artd jaowsr is provided 
by a tsattary i-sot shevva, 

rha siof.iga aiasren; 8 tof -ha aea<r'{ S'ey and sii 
yotc^vjiaphiii tu-x.;:0.-a ^ni' c.onta-:x=d w:!h!n ih<5 COCW 
3 ao «5at no part of any cr^->tosfapaic 'xass acces- 
aitjte to any asaerrai meam at any stage of qser&iiofs of 
tt^e coprosessof 2. The acUat dwypstoo, sncryptiors 

5S afid/Of- iso^snticatiai f^ncitoos me no pHi!* of tH' 
pfesefS (ws-'stion and thigffeforeacigtaii'^3 deacnpisofi ot 
such functions is not necassajy A;iy d^^ciyption 
ancrypfson &t aothen^oation mm'saiSy i^sad in crypto- 
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2 is pi 



« a cryp- 



Any attsnpt to enter the cocoon S rssuft in a 
contact With any cf She sense w^^ss or s sn<5^ t CircuHiiig 
of qfouixi aal powsf !^<i!es so mat She o»v&- oJ Sie co- 
piocssscsr 2 b<% disc-oniiectso Such s;'! attempt 

siOf«t in -he :5to;«g«: =M4:n^«;nt 8 

loading s sfi'iisM key in tns; iSos^Oi) -.Mt-'n-ifint 3 by sonciing 
a ssiii^ ihsough Sh«< onsr-w;-}- nicofcon DiCcK -iS tc> Sh?; 




4, int^-g^atsdcKcyiu 




wh;c!-i dfcx;fvp;Lvi or etxif vy'iof! aigo? itt-m ia be used 
by th« a-pjocesao;- 2 5-?xi g-iy ether jeQv;ife<i confi^uia 
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(■§4) Browser system 

(S?) A W>^ brcwssr (210) is coif tguf5>d to sn s 

<(*.>i>rhstSlion {CMW} (£00) T>;9 ciisialic-:!-, oi i;5<; vVi>b 

othsr cowpsr*net){s C^W miSd>in® (200) as g 
f esuit of mandatory access eorstpc^ PAC), whi&?^ is cotj- 

The Wsb browse (210) communic;^rfes ^i^h vV^sb 

being Goon&ctsd so outside ccfrpvarsf^^ent cf 
CMW miKhine (J; 10-. s'ia a trustsw ciitss's- pfocs.-js 
(TPO) {214), TPO !2v^,i has the privileges i«qui?^1 to 
cverrfde MAC. Th« Wsfc srcwssr (210) communic-ates 



a ^?.o.^Y Tv? ve; (S.vj wh.ch ss sttschsd to m 
::i5C!e co;^^p^ft;nerr; (;?04;. oi sixi CMVV tmo^srts (210), 
v:<; a insicie p»,x:e5s (TPi) (204). W{ also has 

p-v^^agisii to Qvefiide ^/^AC. Ths Web brsift's^r (2t0) c«n 
request a^Ki r-x-^-.vn Web pssgs ijx-cjrp-s^ating :T>3teils 
COGS, sfsj c«n psot-ess the si^dsiie cocte safeiy wlihin th« 
middis cofj^x^rtmsm (g(56). .As a result oi pswessing 
the :-noto:!>3 csxis, ihs WsP 5>rows&r (2105 sssids only 
messages to !h§ display &mm (232), m ofdsr ti-tat tii« 
(Ssspjay ssrvsr can rftsid*? tns ifr,a§S!S ; ss>jiting iioo-s ti^« 
processed motesis code. 
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CS0011 The present mvsnfe fdatss in gsn«fa! to 
con-iputetised sysfefr;s, iot ton-!C><idfng, or 'brtRSfSing', 
i--:!-): fasten stD^sd compotsi-readsye feim Uae 
p&ttkiMily. a^riiough nt>\ &itoiuS!\'«iy, tne invsnuon 
rs:late£ to a bsowser sy^ei-si tot brosfsmg h-tfOiTs-iafjon 
ShsJ corstsim fw^ie code mtrievai^^ ffsfti ths Wcsfid 

|.CK)G2| The Wosld W!d;5 Weib (vv>&) rs-i^y b-? sj^&u^hl oi 
a« 3 ^icbaS v:ii,sg^ wx-fs ssfppuJ^ifS i->c<;S;j; 

a? trie 'ntejnet ^o-'ftjs the su^ists Th^^ <;or;pi(tefs> 'lav? 
aci«K?;;'>.^ -JP ^'n-yim) sxim^mg of foui nur-ibe-s^ 
s>?s.'«:aH-<j by pfc:-;ods Mgnv hosts aisc i'>a'v<9 njcKfia^?e% 
hnwn as dornaifi osmes. A VV$D she iypiCa^iy consists 
of a UNIX or !*v1lcics<!ft W-r-ams »ss«d VV«» server, 
vsfhfch rur^s o?^ s rxsst arxi 's&rvss' software or c«ftts(« fc 
other o&fi}put«rs gcc8ssj«8 ths Wete sjta A Wefe site is 
not a singie aj^iicatiojx W 8 system «i8t pros^idss 
acee^ to a^^jSieaiions aftd dais stojets ort ih® hs^; as 
waii as imkia ars or§afifS3.ttosu A yssf afeSsas a Wsfe 
htmm' tmrAnQ m s cSiam cmps.Jtst to ace«$s tha 
«oft*fsara er esrsS^ sn tha W^b: sa?vgr: 
ld(m] Rgurn 1 ifestratas. a <^im% cm^iM 100 sses- 
cufirsg s vVsfc> bfO^vsar program 105 ihat is affipiqysci by 
a us&r to c&rrsrriufiioats ffver the 11 S, in a 

csi lar^guags caissd Hyparlasct Transfef PratocoS 
(HTT?) 1 15. a hosJ eoJ>iput«f ISO a»ytjsig s 
s«srv«r prc^ram 12S to s^tstn cte, Hsras^e?, ths term 
brcwssr' my isa i.i$ad tftt«{«ftarissaf^y to cias<^ifo« 
a Waii browser p)Ogrs?-n or the pfO^jriam io exeoitlfori on 
a oo!?iptj;«t. diJ5i?!"(5t!-i8 Of'i the cofstext ti---'5 disigrasn, 
and sn toiiov»,irt(j diagfsnvj. aok; connectsyr. ifoiss rerxa- 
sent physical connectso:"?. beSween hardwsre a^d be- 
Ken ooonession Itnes ^epfss^erft cof^niKc^sons 

IramactiOii snvoives the transmsssKsi ot We» p^Htss, 

vv„^b»»fv,cf \"'''^>*^fc 'V>\ v>'Sfe! I'^S to '■t'-vxe'>i 
by the ussi s.t tns Web bro^A-ser soS, Sh« vVsfc s«tv«;( 
•;£S trsnsistss tfis HTf^^l-fcaseri VVsfc- pace -no HTTP 
«n.d sends it ov*f ths intern&s i iO tor ciss.piay ss s vVefc 
oagft on sh«' i^squest^ng brosw&r 105, Th& Wab browse; 
iOS ra--:.f:iv=?s Ihe i-iTTF-encodsd Web page, trans-ates 
ih<? ifi'TP fc-ack iftio snd dispSays Sh« {iSQ* 
[0004] The conoepl <5f 'rrsofefte cocs^' ha^ be^tj devef- 
<sp«d to sxtaiKS 8>a feoctsonsiity of tha Wefo. U<t)U axia 
tj-picaBy c<5d« associated with a We^ psge vwhSch, 
ish&n ciossnteifjo frorr? a Wso setvar, aiSorfSJts^sliy 
8)CSCiites A'ittiifi th4- .^r-vi-cffisT-grtt of Ss® fe!qi;«=aiir(g V\/t=b 
browaef. in a ?;r;!pie fc:'n5. frsobite ccsds can bs a5<ed to 
snhanca ths graphical appsararjca of a Web page by, 



tsM fexamptft, i!npi■•^n^^^nii•xi s;r;pu; ariifji^iion. it envis- 
aged, hovvevar. that inci-«;s- cc'de vviii be used to ifjpie- 
mant nfsarty diffsjant afid is? nioie conipisx functio-'is 
tiffera, A gocsd axanpia of o;ie vise lo^ •r^oijiie code is to 

s dCf««load tranaactionai ciiei-ise. which sup^xirt special- 
ised user irstedacea, to ssjpport data transfsj barA&en 
diem aad server ^Scationa. 
pfOS} Coa>mort!y, mdsiie coda ss wn^en tr:e oava 
p!X5§rammf!8 lanQuage as a *.feva applet, ft^ofclle ood% 

is n^sv ah>o b*.- wi;ttijr5 in other isngyages;. such ^OBhiid 
■.r [hf- Ac:\i;-K nKsdei- Both -Java sppim ana Ac-iv:>x 
c:o- ii;ol nir<c". ::>ns cars ba ^a-sb^led into a ^tarniSfCi Wab 
Qsgii "h'? ;■■•■:> j!>a sift^pts ssaratiofi of doisjrtksading a 
vvei> i>iiQf c.5n atsa d»*va!&ad a?id activate associatad 

ff nioosis code, 

COOOei W'^ -? -Ti^b caty :raf! Qfesuiy tr.<-erK5thefadc- 

K'K*iie code, asvcs Web tjfowsar-s that f^n 
: v^-" s- s.,.x.\\ are d«ve!Cp»?ct gcoofdsng fe rigid security 
C!„"C!aiin&a wfisc^-^ are :ntsi-k2sd to pfeveni the p^jssihiiity 
that n-iaiiGicus users cars {jse niofciie code caus« 
hss'm to the computing snvironment surrouncifng a Wsfc 
browser. However, thera are atraady ntany documant&d 
ss lis&fifs ift ^ security measures, ^hch ima isad to davas- 
t^tsg rssaiis, %)tcaity, the part^ dowaioadirss roQua" 
rastilQ ctsda vtsoukJ tea mm^^ Gi the diin'jst^ng eftsot 
thereof arttii it wastes iate: 

PJOS] SotmsefisysrTKjfeite code sSa<teHftowR take 
ss aeivantaaa of tn^gs tfs tbs fnc^iie 08d« proce^irig envt - 
rcsnmaiit of fjg Wab bfcssssf, which s^<m the srsdji^e 
aode to gairs commi the opsrating syst&frs of the 
oomputtrsg pfafe'm. From this posstscn, tha mdssia oode 
couki causs damage sua*^ as ds«eting a!i iiiea o?-i tns 
ss compi-rfer, ot even Ssunching attactts on other, mi- 
worKas cottifXjting piat?Of«^. 
IWSJ Other S0iou& n-!<^!!e code attacks ara t^?X'v>;rs 
as "sacia! ssrsgfriaed^^j' attacks. T>;ase aiiast« ; sk¥ on 
tdcksfig an unwaty tsser i>¥, exanpie, aefKiing tha 
uses- a patch for the Web bfOiV'ssr, and si^ggestirig that 
the pateh s to rarri<s3y a secusiiy ftaw in tha Weo 
brc^<*'ser. in-s oaten, ins;&ad ot being one ii>st remadsas 
a secuiity flaw, sctiiaily ovs!w;tas §ooct fic<te with cossa 
that ciaataij a secuhiy f:a\v Ts-ie-fe a^a n-any other ways 
C'i trici<;ng unwa,fY usa!?5 sn this way, 
[001 SI Wsh orowsa;^. which can nm n-!Ot);ls code, 
such as Netscape t^avigaiof^^'', typicaiiy inciul* ;he 
s^tion to firsabte' -riObiia ccjcJ* procfee!>!ng. tn^i^'^y p;^- 
vsi-tjrig the potent:«i k>i ;?,ny dainage, {-/en if -^loi^ia 
cexris ;s, dOA-'s-iiOyStiisc;. ;":;t cou;a«' tnis rriO'tcel n-if-asuii;', 
vvhiisi aeino vsry 8!t<=iCSiv&. aisc- ream'SS any ben&fit 
whsch can be obtajnad tro.-?'! genu:r;a, s;a-o trm^^i; c<xte 
pilll a vsouid g^aiaiofe be dasirabie to twe a sys- 
tem ai s»h!Ch ffKJfeite «!d8 can be executed safety, while 
55 at the ssa^e time dot ^Soaddg rogae mm» coda to 
cause any c^smga to systsfn. 
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pji 2} In accorciaocs wiift s iirsl the p! essni 
inysnaion provides a secure browser system as dsirngd 

[001 31 T>ie t*-TM browsef is cofrifrsoniy associated with 
conisle^ am sophisticated prcctrsnjs such v=$s Nefscaps 
N».v:gstO''^-'' or iossi-net Expforsr'''^ These pro§rs{>is 

!T)0!0 biMidiy to snskde any pr-^gtsfr. or systOf« 

to Ihe b!0\ii'Sf>!' Futtn?:'. ('5 fcEOiVS-i! i'5cc;a.'d:f:g io 

sea-^ufctio a^: a i^wH ol fc- yx;^'npis> some form 
push" t»<;hr-:ciio^y, wh:ch diss^bu^vs fssour^jfes or m$s- 

[<i(014| The if-vem^cifi has sxjvantags thai rrscsbtie 
code !S pro««3se<j in a secure er-virono-sent, so ihs} the 
clism, which is ap^rl %m th« en<.'ifonft^8fit. f8r?iains rs!-- 
alivsiy safe ^roni atfeck, T>{fe dient miy fsceivss dsta 
^r&fr; the browsa to viso&iise the ou^pyf af the psxxess- 
d «hs f>-idj)S« ood$ s>n the browser. Th« (^lens is, 
th§i-sfe-'«. in si^eat ab!« ?a access t»obi!& cods, s?-«J see 
th«! !«syit 0^ the pfc(css?<ifi§ o? {he mobile code, vsmhaui 
fesisis su'bjeoi^sd to my threat trom togwe mc^ls sode. 

snwmjori, Ihe browser systw cost^Hsqs s secure op«r< 
atir-!§ system, fof exsft^is or>« whssh eft^ees Mwia- 
lory Access Cornro! {MAC), such that f?^i!e cade arid 
tiis b-mser ars urrabie to damage the system rurtnjrjg 
tiie brcwser, i&t sione the cissnt. 
[<KH Si W^iiia ths fovsntioo, genemi, aw to prrste^ 
user systsn'is 5rom (^gtse s-no^i^e cods, and Irctrti vo^i^f- 
aMe brows^fs runf;ir>g rogus j-nobile coda, antxKif- 
ma?~its vw^cfi &f>-!p!oy secure c^watiog systwss, such as 
ti^oss providing MAC> can be cortf igiired to SsSso ptavide 
a high sevei of jxotsctioo 5c the co?^tpytt>r piatfonr tfjat 
supp<5rts the temw i-usinino She niobiie .:cd?> Such 

systems consecuentsy x'-v-? j:c j-xv 

;on t5 ys-sj-s Sjf'vStems, by .i'^.-x'y >5 - „^ 
mobiis code jesching vissrs" s.y«efn3, or otr-ef pivte of 
the netvii'OfK by soifje other fcjyte 
imi?] Oths! assscis «■ st teatures of the m^m am 
describaci arid ciaiiVsed fcsiow. 



[SQIBI A prafsnea aitteiimes-st tha pressf^l i^v-an- 
tioh>firtli no* be described, wsy o1 ©xsopJa ooiy, \v;ih 
ra%'e«ce to the sccm^oyirt^ drnwings, whici? 

Figuie 1 is & diggrarfi iftoatirtg a standard Web 

Figure £ (s s diagt &m iiteatiog & GMW fnacNne 
configiffsd for s^sratson m accordance *.vith the 
prsser^ gn^bodsmsr^t; 



R{5<ife 3 ;s a diagcsfjx vviiic;-: iii-j-i.ti.sJ-n rr;;? ciofni- 
nates' feiat!0f5sr-:!ps bet^'esn cDrnpartiPents 
detsned in tsa ChM mschirsa <3i Figum 2; 
Rgura 4 is a diagrari^, which iiiustrates the relation- 
5 ships, and profocds ttst exist between the proc- 
esses that operate tor me purposes of the preserst 
embodiment; 

Rgufa S iS a tiow dseg^arii w;-:!cn iikst'Stes the 
steps feciiJ^iSd to ;;^!t:«re a CMW nischrne tO! opei- 

F-igurs? 6 h5 a ikw diagiJUri, vshich ii:iiStr«t<iiS the 
s;i=s:s> iiwc^vis^ toi the pufpc^es of the present 
ambciOimftrtt wi-ien a otiam f«$jests a page 
?5 irtftitidis'sg m:^ita cod«. 

Agsfeyiily 

[00131 iccc :!; C!«o-hapres«marrtetlmsrst,theW^ 
fefcvvss! operetes or a computing pts^osm within the 
environmant oi a secure opsrating system that enf&rces 
MAC. A particuiafiy soi^t^e secure ope^afens systeft'i :S 
t!^e HP-UX nmm Co<t^'io^ented Mcde Worivsta- 

2£ §on (CMW) sold toy Hewiett-Pact^srd Cosily, which 
pfovidas a MAC ?«s!icy gov8f«it^ the: wsy data rnay be 
accessed OS'S a tus^ system. 
[00201 The MAC psMy is a w^putetfeed version a* 
^e US D^tment Defwe's iong-standihs mu!8- 
M security p<^icy for haftdling cis^ifSed sfTforst^ation. 
Tliglt^AC p<^y oeas iabefe that fsi«lect (fifo-'nTsatiof^ sen- 
^t5«ty, and rmlntains those lafosis for es'ary process 
and file system <±^sGt to pr^'ant usefs not cleared for 
c&1aSn !av§ls cSassifiad infornfiation ffom accessing it. 

35 Under felAC, us^s 8r?d prtscass^ af« atso asssgn^ 
deafanoas- A ciearance defitias. the majiimym ssosithr- 
!ty fabei the user or prcscess cmi access, which is neces- 
Siuy sioce -iome g!f>a pfxesses h&ve prwiieges 
that asfow ttiertr to switcfi 0et^^'S«5o semSiviiy sabSfS. 

-'J Using the UK^ &o«cy, the cpersting system cof;trois 
sccet.^ biased on rei;5tfve ^sndtivi^y oi ^hs a^ifjiioa- 
tions funnifig end thg tiies they accosii Th* i-tP-UX 
C'MW opsrsti.-iG systaiT- ra-es as a 31 giso'e secore 
operatsng systens. sccofdiog tc ii':^- OfSfsge BooH 

■I? [UCBQ criteria se"$> B i ar^o f^^g- e; -prede c^erat- 
ing systems app^y son-;e of ti.'iAC 
100211 The HP-UX SO 09 01 CMA' [DiA 91|. .s 
descriOed -.n detaii >M docunx^ni?. reterenc^Ki at the 
erkd oi ihiS dfesc- lOlion, ivhi^-.h avaiiaKs irom 
J-is-wiirtt-Psck^^fd Cc;'npar-y. tna t;r:i«! o* -Av.linc; Ihii 
descripison, HP-UX T0.09.0t CMW is the eyrresit v«r- 
t^pr! pt the c^eratifS systern Pii-ura ves'ssons o^ the 
operating system, and the respedive docurrjentatfon, 
wits, however, tmm reSevant ts>the preserstdasaiptson 

ss and et^itsodimer^t 

[00221 Heresoate, fQt cofwsierice oi d:>s;:fip!;cr! 
onty, tha t&m "CMW jrsachifi'?' is irrtefidas to rneen a 
computing piatfcs'm with ar^ operating syster^i riaving 



t-sJow A particruSariy siatafofe opefstmg system is 
Hevvieit Pi^cKaiX! Coftipanv's HP-UX CMW spsj-afiiig 

tlK^SI T e ^ J c>ta»r p-on cs*»C! be« m timt\ 
hcxv Sc use Msfidaiory arsd Discstsonary Access Con- 
itO'%. S?nsit;v.';ty Labels, TaBtsd Psoces&ss snci Privf- 
isges on a C^-^W ■r!ac":;r''s to r^sSnct ^fss behsviOtir of 
^-sifs&iis ccd<? and ot s K'<fsb D:OVvS.&r tf^at dov^ntoads thss 

n5:0l-K! via ar- :n;<2fn«i ni?iv<!c~!i! i< 2.?0 io s us>e> rfUicN-H' 

Cfinna;54KS to cV=s>; app&fStus. '-^iiy^ilix^ -ft- :< y iva ? 
{Isb4-Hi,=d S3?. 3?6 ar!Ci r^i>iX'C*iv<?Sv} which 

a conns^.tionfrcrf-; The OMW njachif'se 300 id tns ■'■stesnet 
£40 (vig 5!ppropr!aTS ssrWtGhing arid looxlrtg equipmefit, 
vs.<hjch is show'i; The «ssr mscnios 230 car? bs. fe( 
ss-irspis. a PC, a UNfX wis'kststfon or &n X terrs-SB-isl. 
F&r th§ p!«ssnt purposes, the ussf m&d'sr^s 230, io 
w^^stevsf lor"m, is jwnij-sg m X display ss^vgr Th® 
sntgrmi sietw«fk220 csxtiprisss ar? Efhemet, vshieh asp- 
TCW «omf«u?:S<!atiOJ5S beissfser? tie assr 
«i8cfti«8 230 the OMW tmchm 200. 
imHB] The GMW msehifte 200 1» iest>f sgureisi to feavs 
c-issssfcatioo: System (S} SOg; and three eosr^STt- 
fDsnis- irisicis (!) ?Q4, MMs (M) 20S and Oufeide ^O) 
2C8. Thss gsrssratss eigi^t ssnsstsvity isb^ (ihe t^ra- 
tsors wnich wiji bs dsscslbed in dstasi bsJovs) of which 
only ViK'^ srs ussci s« Rgurs S: S. Si SM< SO, S!MO 
;?h&v¥ii s$ The thr^e other possibte een^gv^ty 
isfc-^s. - SiO. end SMO - ere ynused in {hie smbod- 
isTiejKt Tiis CMVV maci'i""s ?.0Q ocofiX-vaiss a Wijfc 
*>f»-^e- .510 vvhsti-! «!?anci>x! to a!f> tns SN.^ cotn- 
pa?tfnc-f!i The w«b bsowses 210 ffi Jius esse is a Net- 
scap* f-savigatof"''"'' fcmvifs®!. AcorfpaftmemiS, in ^J8ct, 
a vift-^iai niac-i^if-.^ within wNcii p«'oc§sses and f3« 
ofcisc*. associSiSd ws? the wtyai rriscSitne c^n operate 

fO<5?6i a uv-ny s;-3ys: atschisc to tn^- Si 

f-.^i :-;srvvork is sttacHsd to the SO G?xr>&si;tn-".ent oi the 
OUV^ ;->^ad-;i!-!e 200. Ti-ius, data >'e<;siv->i fro;-n. -y tferss- 
f-i^ned cntc. ii-se sx^sma! net^iVcrK ecquif es Ti^is ssn&siv- 
iab*-:i 6^ i^^f- SO co;rpari)-(>s-nt Aiso. dats sent to Of 
; -.K-ft^v-Ki iso-r- a-iQ-sy se'vftr 232 acf^ijires ii^& fsinsi- 
;iv -y i-sbs-l 0^ Si CDirip&ftrtKsi! 
(00371 aif<?ady mefjtiofjeci -^e-fssitivsty iabei« 
as^<joatea mm every process snd fSe system csfcject, 
anc^ are issd ss ^8 prtmai y basis fcr alt MAC pdiey 
dscisiom. A sensitivity i^sl represafits the ssrtssitivtty ot 
a process or a fits system d>j«;ct snd a^so the data esdi 
cort^ins ]i en es^iiOatien ^rtd t-isj !' attenpis to 
access have tmtpatibia sensftiVity iafosis. the appSica- 



tian can rsad. ma-i. q-: po:5s.:Uy ■?>;<sc:-.;is: iii^ h^xi 
each naw ptocesi h^-i;:siiy jnhs^its s-:?.- sfcf^SitfVity isJ>fc; 
ot its pafsnt. 'Fo- sva-nois^, if a pfo^^ian-; SAai-iittX! 
withm a sheil {for s-vamsjie. sf-^it). csh{ ) s, or Ksnu)). tf-s 
5 nsw process autorr^at'csiiy ii->h^r.'-% ^he S'Snsi^vjty i¥,os:; 
of She shefi process. Nav fiies aiways snhsnt tha sensi- 
rij-^i- p;atsss»5atci&«t$s^sis'-!i Ins ^y^sten"; 

einpsoysd for cbsngiog the ssnsffevj^ isPsI ol a m aiter 
{;■; !i r.as boijr! creaiiKi. 

ltXJ2S] Ss-mit v.sy iaisei-; as a p!:a^;tiai?ci *;;f hAM) a 
way >!"!«■ d<sisrin:o&s j-icw pros«a3<5s or ob|$ct& havsng 
one sansftivisy iaP&i oao mtemct mh procmmi or 

CSjjf-fi , i,' f^!!' v>Sf Sa>if> ""hf pn>iftt--.a- 

ff lion !S datirte':! iriismaiiy ot tf'S iXJiSra&.siQ syssanv 'irss 
ciiagmm in Fsgora S f'ssireosrus ths falationsnp p<5Swftsn 
tha patts of tr^a system ssiustrated in Figure 2. 

in Fsgwr 8 3 . tho anows posot f iom domsnat-rsg 
$.a'"!>f?;v;5y iabsi'> 'o cio^iinatad ss!-!»ti>.'it>' lai;jeis '^htss, 
F!iK.ife 3 SIMO Oom^riates Si, S^^^ aj\i SO; SO doi-n.- 
oates S: SU dofrsinatss 3. af-d Si dcfriinates S It shouid 
be no$«d that SO, and Si itsve no don-iinatas reia- 
tianships bafefyeao tnsm. Aiso. the issass SiS.'iO, SiO a?xi 
which ars iised inth« present sffltoodtfnent. sra 

ss iustf^sd tor coRfspiet&ness in tees vsith tsashed lines 
to indicate ^sfee Utey ^miiti ajspMr. Ooe ferte' smpoj- 
iant aspeet ef the domir^ss fsiatioftships, vshtcft is nsi 
shosm in t!ie diagfm im. met sensitivity iabei dom- 
imteaitseS. 

ss pmj Use?^ are gefsefeiiy not permitted to down- 
grade {by redosing ihe respective saositJVfty iabeis of) 
sn^ te, process^ or (Ejects *hich they c.dntrol, so 
that ihs labe! is dominated by 8ie prmou% lafcei, 
*^o. ysefs are p&rmim to c»oss gfsda tt-am so 

ss ihst ihe r\m tabe! is incorRfi^taisia to the pfwoys. oj^e 
The s¥«4sfJ) is aiso smiigored so that dow?\sf acli?\i and 
crass gjadiog are not enastsd autoji^iatica^iy by the acts 
ot reading ar wstitint!. 

The sfiecs O^ int U-K: sohcy sss 10 figKi^- aonVoi 
ifstdrmstion fiow ir^ sysiefr;. ■'iOir? pjocass to fiig to 
process, tspraven; acc-danfei os !n<eniiOf!si rniS^aPaii^r^g 
ot sensrtivs iOtOfn^t^on To achf«jve th:-;, io^ avojy (X-s* 
atioo, the system cofjp^jres -j^nsitvity itsoa;?; to Oate<- 
mine if a user ptoses can acc<?s.sj an oisii-ct Arsy tmis 
a yes? of process tfias to read, wnta, O! ex^uta a ^^io, 
the system sxastiines the procass and objact sensstivity 
iab^j!;; as'd consuits. :is MAC ruie'; f os ^acn opsiation a 
process isouastx the systen-s dstain'sinas tna p:x;-c&;,a 
h&& maf^datary read or snsitcfetory wnta accass io ihs 

5s os^act. Most restiioiiOf^ tttat ^e f^C poiicy entbrces 
im tse summari&ed &y tt^ tv»o toifewinQ ruies 

(1) !^atx<ato?y ^i'ad aceat^ a orocess can fe^ or 
axecist^^ a V'^ir s^:3;ch a 0;;f:c;o(y; or (subject to 
■5^ c^hat {xiviiacje iequiiaax-nfe; faao' h& canteots of 
othat <i>jaot5 sf the pjooas^i: a '>i-tv>'>My isbai dorni- 
rssias the otsjecfs. Aii of thaaa opafatsons I'nvoiva 
tj'anstsaing data from tha otsact to the omcess, so 



7 



EnmBmm 



fjavfflg mssh access is refisrs;:! to sss 'marKlafexy 
im^" accsss. 

g fiis. i8JV5ov» Of Croats an ertr^ in a directory, of 
change s^iv onsets security attfibutss Oncludiog tts 
£an&;:v.'itv isbsft. i' the process's senstSvsty Satsei is 
tne same as She objscrs. Aii oi tiisse actions if!voK'-« 
trans^SiTisif) data ^roi-^^ sh& proc^sss to the objjict, so 
nsv"-!5 sticn access ;s calisc; niar'sdsSosy mW 

[0033: The i !! S? f uk^ p; tv-jnis & ;.;5f f who is oot 

fiX ciassifiiKS ii'^^c; rnatiors ficssr. s-esfrty tt T>io s^-corsd ry!« 

prftvfjnte a ust*r v>,';th high cfesrancss fram mv&aiiftg 

[003$) MAC ;ri 5i<a CMW riacnine ?00 

enCi"i"i i'iai ir-sfo'n^aye:! c^r^ S-^w o^-y in oyfxsine 
disoction to ;ht' "do;n!-';at4:y" J5::at!onsh>p T^>s MAO 
aiicivs tf:$ !Tfcfc;;s cocss a'id vVsfc broi.^-sef Si 0 te fsad 
data c^-ly w:tf? s ss)"iS;tiv.'itv' tebei of "S' or ' SM" T?-s Web 
fewser £"Q and nxjtjiis cods csn >fsii its oats aoiy With a 
ssns^tiv'i^/■ isbsi cf "SM'. Neithsf the browser *>1(S, 
nor th« rt-iObiSs Godo, ss ab^s to pin direct acces?. to 

thsso have sssDsiiwsty lathes of "Sf and "SO' . 
I98S4J Tb» CMW rt^achine 200 do&s rxsi smposs ?hs 
C0!-ice5>t d an aii-powes^ol "S^ssr U&or" "rosfj") or 
^ff^nisSmSSf. !r»stMd^, t% pewsr 145 im s 

nurt^ec <s? pilva«s«s. /^Sgj^f^ prSvHgges to a p^o^m 
confess m 8 power to "do pattscuisf aesotjs, Progfanis 
wit^ tf^«ss prfvifsgss are Hfwwn ss ifu^sd process^'. 
Tfus^sa procsssss, TPf {trusted process - insfde) SIS 
and TPO {fc-usted process •• outside) 214, ^ovsn in Fig- 
i^rs 2, havs tii& prft.'iSs§s$ JhataBow thsm te o^fsrridstfi^ 
MAC Thus ths W^35f<3Vif$«r gio aod trso&ite code must 
use TPi SIS sod T!*0 2t4 to gas's access to the tr^orogi 
and ext^msl notwrks. 

[OOSS) Tiustai pros«SS*S aro t>'piS8gy vsx y sft^aif p»o • 
grajv^a. which Sfs csf^ioliy dssiignad to ca^y out a 
spsci'fic pfDcass, Sisch as psss.no sced^f.': 
fc$tw&an co!Tparifr!««is in a CK-lw 'f;,?- r ^, ' . 
processes ''kWs priv!!sgt=a which t-nai;-: o - '0 j..,- 
fids MAC bus Ihess pfivil^tes «ie o'-'y ia'^-Ki v/i'-jn 
fe<iiiif&-3, iowar^ th?-r^;af!ar. to msnffnis^e the 

trus-^sd pfccexs chs^j^s whethe! s user cr otier pioc^jss 
nas She right so access it, bs*o.--.5 fJ c^s ng Sijch sccess, 
[0036] TPi 2 12 iS a trusJiSi piccsss that i^ia!^.i96S the 
sfiisraction ber«v6e'-i She reiu: Web biCAir-e;- 2U) ^and 
mtM$ code) r»nni.-!Ci iii tri;-- ciirfo^-i-ns:^t mrA tJ^e 
display eervsr 2Sl> ti-sfViii^s) on tn^? ■■f\&(ii: n«:i-A'!;>.^ Si^ 
soma smtjOiji^ttwis a-is disijiay ^.arv-er S.jr couSd in iHCX 
ba runfiir^g ift t$e Si oarttpai-tmai-ii o-i tfje C^^W fnschina 
200, ixitihis wojiid be fess lifeiy i a i-iar^'or kad af>vto«- 
m§«t. TP! 212 has tn& osK;:es;>«i y p iviitHias tfjst Sfs^bfa 
It to ovsstlda MAC stxi p«si^ data batweon Ss® S! arid 
eofj^rtmartfe. 

TPO £14 !& a tmsted proca^. which r^ianagas 



intesactisjf) between th:^ fe«i Wd) i;Kc-i,vser 210 (.-iiid 
md>ii<s c{3de5 ainnstig ifi the SM coivipsfiiTiSi-u, and the 
intaraet which is conrsactsd to the SO cofnsjai S- 
mant, 

5 Aii m^sages from the Wab brew's*? 2 1 0 ; ss-id 

iixsbfe code) to the g>aems! nst-A'ork Si-e seiis via Tf=0 
ai'l TPD 214 cars be conhgurad ro b^ocK ij!ida?!!&Pie 
massages f roo-s tha Wsb fcrc'-vsar 2 1 0 soth as attampis 
to cortwyrscata -A'^b piohidiied evtesnai estas dr 

<o aSao^iiiis to dowaiiViO i^-ofciia •::;x;■^ tion^ certeio "^ti^>s. 
Additjoosiiy "rp;> S-4 c.:;i^ tia xuiigtiiei^ io r^od^ n-ses:- 
Stiij^se isaianati;'5g ?!<:!n tf•■^ down-;^.:«i<Ki i;^x!^^ wt5^^n It 
execiiifes (0 ti■i^^ Wi=o <wT>^^r ;? i 0 T PO ■ 4 ssu sSsic t:-a 
oo;Tfff8ur*«i tcs hite:- incoi^-i:"';) i^^<?;':f>;>§ft'-:. iu«aiide;^ ios- the 

<i- Web oro»'--5af 2tf;>, if! a -sir^st-v hii-i;cv-. :-•> i> pscKs^-t htter 

Ot t'r^s<-.5ti VV-R. :,.-i, ^Oin- 

s oi. f V i ' i f < tv>,\. ^.s^fini;;. c >o t ''0 
2-^1-, - ^ ' ii* ''SX>\S^«{>CtOr!^{tvThst 

is to 'i?-.> -^-ir IV?;, ' ovw SiO rnust sa?^t SOCKS, 
as wsii be dssci ibsd pgioi'sf; 

(0038) Ins Wab browser StO'a sxsoitab^e tiia, tha 
lilas. directories and the resoijixies that are only i-ead by 
the bfS3tA's&.' 2io< such ss »se cootigoratioo tilss, 

2£ are given ti^o iabef B. f^s resuil »!&t th« i«AC pt&t&m 
meso f^soimes so W usisrs., a &E'<te brsssfser or 
ixsalicioiio mc^iie esds ommt byp^s iiis ^ourtty 
admaiisU-atioo by o*f«rv«itift§ th^ «Hth tbeif wo s^ies 
of thas« filss. Olh«f files that he«d to be Potfj raaici and 
written to by br<Siss«f 2i0, aucf) as a feos^msrk 
f ga, fjsstory fiies of a cad)a, ars sabeliad as SM, 
[0Q40I M ^a i3S^ 8^ hosts of tse sftfer nal nat^ark 
220 are ssvan iabel Si arid aii ttia hosts of tt^a tntsr- 
ngt 240 are gh/m tha lafoet SO. Since tna VV^ bswsar 

3S 210 tmsoo priviSsges, f(mi tteohiKlprocaeses. such 
as ibose ex«oi;t(Og tr^-^ code, ceti ooty ?vn with 
isboi Sfv^ Thstsfore, tbfis babaviois- ot ths Waii bsowsar 
210 ami rtiobiis CociS' is griC<^|;iaiJi.ii5iK; •■;) ths SM co\f\- 
pijrtiTsam. 

-• [004 St Thus, the rr^achii-sa 200 ccsiti^ui-atson 
■\.%" ■■ ^■jia 3 enaufes that thi? WtsP piOvvaaf Jno 
isti i-ij oofi-par!inf:"it canfiol !fJt>;ft<Si'» wtt! 
o;-\- k-cc-?sass tufining wstn oths;.- sensstivlty iaos-is 
T'-;.^ cciifSi'-'f-"*-"'' aan DC- sefisfaiistc! to an ai'dnfai'y 
nu!'!"def ot !-;>!ddlg compartimnts (Middle.. 1,.,. , 
h.'l;ddi«„n). Each cot^partinem can tss usad to ssoiate a 
W.2t; bfo*vss!- 2 to and Siiy associated irsobia coda 
accessed by a ussi- connac-sd to tha CMW s-nacnii-sa 
;iO{.' !i ao;T!* oonlioihx; shariiXi ot intors^^asiO;-; betwees-i 
ri'ii? co«e iii tha '\^V'=?b bfCMH-ns, -eoi-iiiiXl, f>xiit;pi«- 
i>:Cvvs5;-i c.;5i-: iv-i-i ih the ^.a-ne <::Cir4:.-ar!ivii?nts. under ctlt- 
teiont usar sdeotifiafs Ts'sa CMW' nisschins: ?00 thsfX5to!<a 
acta as a Wg^ isfowsef 2i0 setvgf to let muJtiple usats 
inside natwrH usa bfcmera 210 and 

>u; itvMe coda siaciitasy ard conssnierttly Eac^ usar has a 
per scsiaf copy of fiis or her Wab bfossaef £1 0 rasoorces, 
sucti as a bookfnafkfita, oa tha CMW friasNoa 200, with 
thase tesources aii luving tha same sansSSvity lab&i 
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Oav^sr^QVim Di;'^^.:■i^t^•ns^fv' A<,c:t?;is, GoffUoS iO-.Ai;:), ;>3 
iou'Mi in geriijftii opfefsting s'/stani-s such at; UNIX, c&n 
i>B liSfeci to 5^sc«y «h(cH focai files owned by one uses 
the mobiSs code dovisiioaded by ano^er use? cm 

[0042] The ;n"^5isi-!-smat!on of ths abovs afcHitecfete 
consists of tfie four cornponsnrs. thi s^ wh^cb nav« 
bssn dsso-bsd abOv-S: naiV;«jy TP! TPQ 2i4 snd 
tbs vVsb DiO-'Ase; S 10. ThS;S« tbrss? conpon^nts, a^'sc; a 

r«-i;3t:G!-!ship fcstsiyeen n\m><- fouf cxHi-iponsr:;-) and jIh- 

!!> i-acant piOC=«<s to r>'S 212, TPO ivU S^x; tb* W;5t; 
browser aiG. '-n otber wofds;. TP: 21 S TPO 214 and tbs 
Wsfe bf»s8f 21CS ars chtki pfc-csss to tlse ^ISPE. Con>- 
nftjn^caions between TP i gi 2 and tne VV§b Drowser 2 1 0 

Web browser SiO and TPO a-ni;s -se SOCKS nies- 
sages snd &i8 commuojcations bst^veen TPi 2i2 and 
■tbs display ssrvsr S32 comprise K-msssagss- 
[0&44] Ths fcSSswing six privifeijes srs defined wtnin 

e^wditnet^t t© syppart th« prssent system; 

MowmaereacS; ovstridss MAC fetiom an ^^saa 
c^emlkjsis, mmm s is^csss fistfiftg this pivs^Sips 
to fgad an «^j«cl'sdata ans^ ^ssutss rsg^sttite of 

Mmfmm&i&: (svsrfidss MAC mslricScsis m writ® 
operatfons, ai[a!.v;r!3 a pfsx»s& i^t^ this pnvjlsge 
to wrife an abjacrs csate snd att? ibutss r^f(S«s$ 
ths objgcrs se!isttlv!ty tebsl; 

CnsiitsjsS- {smnoi for shangs subject ssn^tivfty 

cha^cjfs it« o«in $ij;-sl5!vity i»W to Sfty lafesi (Somc 
nafed by tbs process's cJeam?>c.e; 

Confi^jisudsi fscjuired by the iocti(g) Int^iacei and 
used b configure the secufity aud' systerrv 

Suspenciaudit: st fsised, the security auoit systeni 
doss not prod!,iC8 system csi: rscords on bshaif oi 
ihfi pfocsssss. Most Ssust^d ;y-:x;sssss --gise tbis 
prwilsgs b«C3us* titey p!a-;:k;ce tn-ssr cwn aiidit 
isccrds. iriakisiQ fbos* autonxaiicaiSy cj-sno-ated by 
f.ystft;^-! Ci^iiS. ijnnecfts.sa; y: sn;>; 

Wt!tet5i.idit BscitiSi'sd by tbe '>vr:t8f2) snteflace of the 
audit dss'ice to a^perxi records to tb* aisdit tfss! 

TP! 2i2 c:o??spf;s;es a proxy disptay e«rv&f (in 
this entodifpsnt. a pfoxy X-sewef [X Wirsdcs**!}- The 
W^bfowsef 210 in efi«ct set)ds asi K tequeste need^i 
to rejidsf itsaif oft a sorefeft to TPI 2i2, mther to to 8 



l;x3S<j!S¥)iay server. Sui>e;^;^u■^^■ijy TP: SIS tofwsfds; ;h.e 
rsqtfests to the rgfnots dsepiay server 232 running on 
tho iSSBf rtjachirse 230. TPS 2 1,2 cao eiso be configured 
to fflf^f oiit ufid^eirsy^ or deng&roiis nisssages be^ors 

5 fofwafdiiig tnsiV! to tbe remote di^iay server 232 cn the 
internsi nebvork S20 Por sxampie, TPi 21 2 msy bs con ■ 
fiaured to ccsnneot 0!ii¥ to a prsdsfinad set of hosts or 
cU&m. and only lo ibe <lispiay servers on tboss bosis, 
Tbi? o-?ta oi sucb a oonficjursten are b^yo.nd tn-j 

1 - ;:>! ■■ x; pr;;:;ent desCf ipEiosi. tX)1 ars wsthln tbs Simiis 

o? sDiiitv ot tiis skig^sJ psrsors. 
[0046] For iipiiratton in accordance with itu? present 
onts-xiifnent, TPi 212 fstpriss jhe Cbeobjss pfivii^-sge so 
allow ft to rfiOiwe consiacttons Iros-st txsib tb« SI snd Sti,^ 

:f con ipisft'n^ntx TP! 2 1 2 aiso ropuif $s -hf- Ailowrfiacr -Wid 
mi .Aliowfnacwrtte prk'sieges, so tnat st cao ?>2es data 
bsbveso the SM and Si t:ciTpaftr?5ef}ts, TPI 2lg. aiso 
r:*9ds Cofjf^geudit, Susper-^aud^t a.--a Writ'seifcii; privi- 
:egee to ccnfigure. rf5an!pu!«t« ar-d writs eudit racorcfe, 
as ntsntionsd above. 

TPO 214 conpr;S8s a connection request 
proxy, vvhid-i in Shs prssert sj')t50dim«nt is a modifisd 
SOCKS s&ver usss; th« SOCKS tSOCKS] protocos 
io eammy«icats wMj tb& tsofw^f 210. and inobiis 

ss cods dowrteied fey tm Wsfe iKKSsssr 210. ia the $M 
mm^nmrd. SOCKS ss a ifs^i teot«f>; lree*<af« pf assy 
sanWi «ssd fes f«iay TCP sifesms bel!«ssrt s cSistJt at'sd 
Jh8 kmm 24Dv S is imm ts sorsfigyre arid im 
80GK$ s$ a liit^f Of f ifg*sa!! ^Scaeofii 

ss mm SOCKS is modified in TPO 214 ir^ibspffesam 
^jbodsmsnl ^ it can ac«^t coftriacsions orisinat- 
i?>g f«jm mui^pie ssriSiSiyity i^^. Jb& is, TPO 21 <? can 
SGOspt connadsofts from the oomf^rttnsnt. as wets 
8$ from lbs SO co«partn-s«nt IV-is « a<^ssw«d, as witb 

35 TFig12, y&ngthsCbswbjsipbViisss. TfK>214fisnaiso 
P3S.S tbi& dsts be*Af8so co«parto->.i'nt& havit^i diifSf^nt 
sons(Jivi|> !ab$i$ .isin?; AiioAmscread tvxJ Aikw- 
fSU=iCvi.»;to p;ivil>x;s-s eubioct to tn'i security cr it«na est up 
by Ss3 eyat«nV;j 5;-.x.iinly adnisnloSsaio-'. 

-#5 fS)04§] TPQ 2t4 also needs Contigaiidit.Susperxiau- 
dis, af!0' Wris^^iudit 10 corsflgiife, manipvilate a'xt A'rits 
Bxm. records. 

[C<^0| Trsi? process tor ^n^tiai-Sifjg a W<5b bfo>,v^er 21C 
snd fts associstt^ pioxiss new oe doscrfca"! wifeb 

'<s rsfers-fice to the tiovi' diagram in Fsgure 5. 

imB-t] In step SOO, a TBFE is started r«mol^ by tbe 
user, >,vno has an acoount on tins CMV-f rnacfiine 
■■s-zhch aijtborises tne u^ier to ac!iv;s!s a Was l-mvse:- 
2 i{5 Tns use; can slari TBF£ by ntaking uia 0; rasricts 

;» ssxscution lunsisons pro«dsd isy UHiK, suGh as Ysntsh' 
or ^fsss:ec'. lb do tbis, tbe user waisld tsst bav* to b§ 
^c^gsKs on to tbo OVItiV n.-ac-'-iino ?;00- Too servor verslob 
of trsese funciiofit;; cm be rewbtt^ » take the sdvsn- 
tage oi the CMW roacbir^e 2<K) to anbanoe sacufsty. im 

5s a descttptiort of {x>w to sshiai?^ ^tis ss oi^id« jha scope 
of thss tg.i«. A sbgSi scripl to st^sft iha TBf £ on ths CMW 
masbioe 200 is los*aii«d m »j6 user's machiria. An 
aftsrfjatfva to a sheH scfip-t would ba to usa Secure 
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5e!V8r ;ofi CMVv mr'-'y-t-s^i iiOo ■ '-o pass {h« X-mes- 
s&gfes tj> 5"!^ SS« o-:ent iD-- trie ^ses-'s trndime). The 
33^ ciipnt fhs'i-i ^CiNsa^ds. X-inessages io the X- 
server usiin-'g on ussir s n-sacnsns 
i0a&2l i- stiSp 3 if} TBPc siaf -so >t reads atid 
parsfs its coi'iMCiUf t.') check sesrssrtiiC epos^ 

# iioe& staji wilti # sse e<so^i§nts 
# 

# siarj ^ at system sftsids afl<J !^ it » with systs!« 
B£0!NJNiT( 

PFJOGRAM 'Tiorr s.-^iryj 

LEVS. 3VS"eM srsiS DE 

AR^3 SYSTEM ^ztog-q-l-nl 
lENO„!NiT 

LEVEL: SYSteyOytSiSE 

l^tgijfwsts passed to pros^am to cisiihg SOCKS 

h 

#staft nstscspe at system midd^ewSfi theipi as te 

PROORAM: n8ls<:«$E>§ 
LCiVKl.- SYSTEM S^iODU 

i^Noixc^po c«>f iaufa&sti sfgumsnt 

ARO <iiSpUsVf IsJCaitlOSt: 1 

»^ 

■0055) 5;9c.f 5 process » s.pa«.nec} bv s! TBF [-: f>a^ 

0!-ii> ^"-itry !f: tf:e TB'E C;C''"'K;v.-?>t!0'' 5 :e COf)!-iJU 

tatiO?^ i;? tet«i iii^i^^^i. are ^'j k<>. W\ 2n 
TFO r:-i4 a--:d 'v^^eb b^ov^-sei ,3 s-iacii antsy snea- 

gi^sft-i «;x; !f--i p%ra.i^s-Sft'? (s-Ctjrn^si! v«-CK--fi or "Pos^ 
wh ish srsoufd be ftssssd ;a th>s progfa m. In a paf &ni*- 
tfii-s dsfei® the cftms^unscatsoft shanns;?; Dsstwssn tsie 
csifjft: ern 5j'<>c&^&e;5., oua^ as »■;«.• TCP poj; n^^stnx't 
the TPI £12 steks listen to &m the X ssfvar 8ist the 
fcfowsfer 210 stoid direct the dispiajr message to. 
P0S4J T?i8 W£ 80t*siu(gtief^ life Sfnjisxisss a« eo^y 
fOf TP! &fstry spscfe ti-se tot-on of TP! 

212 S3f09f«!?^. assigns to TPf 212 the isibei "SYSTEM 
fNSJDE", asTd dedarss the feiio^iog ps^amstes's; "-I" 



21S to intefsCT wstii. 's' csiiJi^js ;h8 diipiay s^r^'sr 232 
'"xhofjg-q-r to used, and ' f!" dfefsnes tne p:o,-^. 
mrch^x "V ussd ^or corni-riunicstions With rhs d;q:;iay 

5 ssfvef 233 in craaipe, ds-^oiay s&rvsrs are aSiocat?d 
pes? tiuitibars runnifig from 6D0O Thus, a proxy •■^uiTbsr 
of ' V nws to a poft numbar of 6001 . 
\mm} The cors%ufafcn fjl& also ss-Jdijdes an entry fcr 
TFQsiiS The es-slry specrf;?^ ioc:^t!on of the TP'O 

ft' 214 pfOQfam. as-ssgas so "it--(> T-i siM 'SY!S"■i:^J 
C rSfO^ " aPd < K tr « " > \ f ^' 3 n^^t^> ^ i" 
dstjr-gs ti-Vi dei3u:i Si?v8i a? 3': assi •-;■>* ■:.tt!x;:5 aii the 

(00561 "'■■•3iiy K's ronS Quc'ifion tste includes an antry 
tor ihft Wes^ Drowssr 210. The entfy saei)!t!<:iS ths loca- 
tion of tns- Web bn3^&:- g progfsm, as^ssgns to tha 
Wet; cfo^sei ?M- U$»<=i System MtOOLE" afKl 
cies;i«f<?s> re ;>&afne-t&r: ■"-ttspiav ^C'Cgihost: V. A'hscti 
co'-i^fgu'-i?. Netscape to setvd di^Ssy messages to TPi 
. - 2 1 2, Of! ayy server n«n*ef 1 , ins^d of ihs deiaufS 
X-ssiver. 

iPSS?| Altsf reading th« contigurstion f }i& siiCC«ssSuiiy, 
in «,1ep SIS 8ie TBFS pfOC«ssss sl^« &i-ri8S oos Oy oos. 
Rsf each sntry in ti's* CQOisgorsJion fiie. Jti st«s» S2kk tf5« 

2£ TBPS miS^S CnsiS^s^ privils^e, vshioh &Sto»s It to 
adc^ the seosiiwily iaos! fss^oirod for ti\e rsspsct!v« 
dstci prac^ !rt st^ S25. k\ st^ si-se TBF£ drops 
O^st^si prwitoge. So prev^ a ^w«^ p5we&s 
fror^ rtijsusiog it Tll«o, Io st^ SSS, TBFE ^wns ti% 
r^^ecSive c^^ process, m TBFE d^an?^ its 
ewrs s^ttivity iat^ to ^ required sensitivi?)' iaOes at 
the ch^ procs^ t^at it Is goirtg to apswn in order that 
the child process mhsrits the correct ssnsstivSy feosi , as 
^secffied in th« conlsgorsfioo fits. NSoxt ths TSf S sgain 

35 fotsss th«( Oisytj^^ {siyiiogo in 540, to 
OE'iSfO&i sersSfitivity tatjftS Step 54$ gi-sd. thaiiy dt£^ 
th& CtiSKbjs! pf1vS^« io ^sp §50. Tf^s jsifocoss f'spoats. 
?i §^ Isf §ntt^es to coofiguraSoo file 
untis bc#^ pwsios aod the terowssr 210 have been 
spawrsed. 

imm] --^nslK' in t">:*5 30C. ttje TBFE w^s^tu foi o^hj ot 
tn» ch-id p;;x:a;5-j4=o thas it L^javvnad to ts-rniiButa 'this 
wiii uai;aliy O-.? t!i« Weo isrsA'sa! sio wher- ti'.a i.:ae: 
^fi'iShaO i;s:'Kj it;, a^ia tf>?-f5, if; ?.t;?p .535. sefKit* e.^^t slq- 
;".a!s to t?-s oih^f thiid p!oc.'S4^5es> a!"« stsei^ exits in st'jp 
3?U Thi.iS T8i=^Eac!sasassrigispoint-ot-i5:iT!ytoti>e 
Wet^ brcvvssi- 210 Also, t^xe TBFg m\ termij'iats th« 
wHQiij ciitJu& processes vshso any sii^te mojir^sf tsr- 

[0059} GihO! S'iL-! it-;e C:-i«<L;i>!'?.i p:-iViiiK;i^ "BFv: alw 
nf:Ods Coi-itK;aBO'it, Suissx-ndaud;? arici ;ta:^ud;t pfiw- 
soges to enatj'-^* 1 tc co'^-isgiiis rr^aniDi-iiatiy ^^i'iO wiste 
avidit fscojias. hsdA a^coida iTf;av bs i..a-x; si a i- isioncai 
Jog of events, which c«r> ba ansrysect to tfsca any ;,i:ui- 
^Sl ?icijv(ty, !;sotentfaiiy (esyiisng ;;o;n sogi.;!? incsjiie 
aoda. .Auditing is wg^? Hiwn in oortjpissef syststR imn- 
a^emarit ofa^ica, and wil f JOt thus be descrfeed harain 
iii any fuilher detail. 
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[OQgO] v'v^h^-n rpi ?: 12 is bv ih^- TBFE iff the S! 
coff^afffTjaru, TPi ;n2 tristej a ■jystsfs} caSi wNdi 
Sii!C*.fs i; to act as a rniiitilevel ssrve- To fmke the sys- 
te?^- csll. TPI ai£ rsqijff^s the Chaibjs! pnvsiegs TPf 
S ;2 ffissss ?f^e Chsubjsl priv^isgs, rs^sKes tr^s system caii 
snd ih«n to*?.'*; ? t^te Cnsubisi priVfiege sga^ri- Ones act- 
"':g as a muifiiavsi serve-:, TPi 2V^ cm recsivs ccfifisc- 
\\otr> or. !ts< aSiocata-? TCP pon' ftw^ ?he SM 

101)61} When ii-<-? TPO ;? ; 4 is sas; ;-Ki by n-^? T BPK- 
M-> BO oocm&n-rw'-xl TPO slso rnsk^^s s sriSft^-;; 
caii whicM aiiows ij to ac:; a^; a n !:jSt;:^;v>?i ^.s; -.'iv. To rnaki- 
ihi} ^stsm rM. !i3 iof TPI 2)2. TPO !■^;lu-•^;s ii^^. 
Chsubss! C'!;V(:fr5t-:. TPO 2-4 (!i.:<,(i% ;hs> Chs.i.l^ji; m<"- 
Is^;i5. fmk??:>th-5 s.ysljin-i caii anfi ^i^xvers. ih-i- <:.n5,^ib- 
isS prvsSegt: agasn TPQ ,?';4 -j^^ :-; -^vatK i:V co-^ '-KtiO^i 
■>ri :ts aSiocaie<:i TC^ p.>fi vvhic?- is tvpic-a-iy k.-0!5 sCoO 
dislai..*. SOCKS pojt Th^,- pou nunioe^ aisc 
clf-tints,; ::• -hi' W-!;? bfows*; 5"!0's Ci-tions to o& used bv 
ihfc vV--i;- o:",>>-v;:.;^i -i-O as the f?i.5sasg;:"g proxy px>ft 
ri-.:fnr:-8! ;o wsi:.;.!-: aSi Wsfc rsqussts .^re sent 
[0862] Having stsrtsd a Web Dsavssr SiC m tiie 
CU\N n-sscf^ine 200, as dsscribsfi sbeve. ths ussr is 
Sjrss&ntSid with s stsj-sdsfd W«b bfcmm 210 mm^. 
y^tiish & fsndsr«(S in «ft X-ws«do* of !he K dtspfay 
tmm 232 on }h8 ussr masf^ns 230. ThiS cfepsay S6fv€f 
232 Mi^iss a!! ^yfessssS or meit^ tftt<sj«cte by ft® 
u«st mm the winds* ^s^isjiog ewts to tns Wefe 
brosifsgf 2t0 on the C5MW mesfitfte 200. ll^ Web 
br<jwS6sf 210 responds with tgqussts, which cemnsi m 
<j!spisy s«f vsf 232: fot -exan^e to t^aie th® X-wifjdow 
display, Foi- ■sass of undej-stsndifig only, bc^h X ssf^i®. 
and X rsquss^ mil bs rsf&rred to ssX-messages. Typi- 
csHy, the l?■^!^isl disjjiay is that of {h« sjser's 'hofti« psgC 
Th.s s«:5u8nce oi st^s l!>at oc«ir when a ijsg? 
rsQuests s Wso psgs fros-n a VV«b sejvsf 2^ wB oa«f 
be- descfl!>ed >viih refssnoo io the t«w diagfan) Fig- 

iW§4} in skip 600. JiH- ussr submiss a {«qu8st lor s 
^safic page, o.- ct!~:sr fssajrce Tns fsqussf cm 
be S fSSl^tOf IbeuSSf Sfeiectifsg a r-ypsriinK typing m 
the re^ectwe URL {unversa! rasourco iocalof; Tn^s 
rsQLsest i« received by Tp: ? in ^jjes 605 in SiG, 
TPI Sia raisss ^-i^cvvinac-vsn-.^ i.^jui;q^. 3!io>-v TPi 
£13 to civemc" tf~9 MAO'S fe&-;;.'vvni-i testnctions in 
oi-dsf to iransfsr tne reques- t^csr tbe chsph-y ss! v*r 232 
(attac?:*d to the Si coiTipai tment) to she VV«b bsovvsa 
210 (in th* Sf'-A con-ipsriniant) in steo 615. Wi-ssn tfiS 
iftSfjsfssf h conplets, in sta'i 620. TPi 2:2 iowsrs the 
A;ifwnvs!>vii!>5 privilijge agssn. 
f&%5] s.!;>5;. 625. ih«! W;?!:> b!Ovv?.?:r 2 ? 0 reG&sves the 
;LKiD%; arid attanpts to in;t(at« a conoecssori with tie 
gs:^ppnat« remsste Web servst 252. wbtdi bokis the 
fsquifed Web pags. "TPO 214 receives the connecfion 
fSqosst frmi iho Vi/t=b bEcas,w 210 sfs stef> 530 arid 
feises^>ij .Aiiownuji:.: .j3d p.'iviie--,}e. in atep OSS, ~'n ofda 
to feciisfeUB data tran'ifar nor^\ tha Was> bsowst-i aiO {in 
the SM conps! imem) to the sjitsrs-ial rsgswork {attached 



to SO cofnpjjrimeji*). ■n?iso, in aitp e^c?, TPO i:U 
tofwafds the oonnection fsquess to axfemal net- 
wofi? TPO 214 ai£0 acts to P.s rsqiiest to biocK 
oomnxjnicat^on'j prchjOHed extemai ^tes. Alts? 

i }r&n$fniSS!on :s con-pieta, ;n step 645, TPO S14 lowers 
the MiMmacread pfivitege again. 
E<HJS63 The processes ttat occur {^ce the request 
rsaciies the Internet are weli \<nam in the present art 
a^xi Will not thevefcre be describe nerein m detail. In 
t!- !X\% Ji^: :r; ;if,::;; 6S). She W-±> f.srvev 252 ros^ivos 
;ns^ asx; ^ s-iiixi-nas by rslumin.;) iha VV;?fe jvsjjs 

a5<tux.;fii<.^<! miycvi:} ;x>i:^e to tb* QM\N ;ri^!Sh^ni^ 200. 
in piactca. ona W:* ,«5ge syptcaiiy r4.;e!ancijs. sfxS is 
:;?;iOt':«!d liom. r!-suiiipi« data souf^^ea ('^^^■'''^■■^'Jiif^ly »>s>i"- 

■;■ iasn.^s data s.^isi^ as lormast^d taxi .and Qs-ap^i-is 
:rri5(;»s), whicb a^e dOA'n-^cad^Ki onto a. Wsi) b!0«>&t=r 
uairj^i ;tvi.:it!y;-a i-fi"TP kkjuosIs the p.ass?n case, 
vvbr-s the VVa;> oage ^^idiidas fncbile cod^, thei's wiii ba 
?i :9t4-r.?f'c? K: iX 'i-mi 0"$ ^ifj-^seddeo pf008iss< for 
exa;T?pis a Java 8pp;st, whscb is oowrs-lsadad to tt>e 
W«b b.fovi.'sef in the tofm ct b>t8 codas, 

li-i step SSS< TPO 2 U receives ihe steam of 
HTTP irom the Wsb se;ver 2S2 TPO 214 again fiiters 
the strsajnat this stage to biook uodesirabie o-sessases. 

ss ibm. m step 660, TPO 214 r-aises the Aiioiiswiawtite 
pbviis§a and pa^es 8ie HTTP stri^m from ^e SO 
eompartment ths WeEs Urasssr 210 is SM s»m- 
p.mT5«f)t m sisp 664. ihm. ^m0m7iTPO2Uim- 

ss lTteW^b}ms«f2i0fece!Wihestfsafnaf>d 
tmerprefe the oootent as a Web page with etrfcedcigci 
mM& code, in st^ 670, lh<^ Web browser 210, whicii 
is oonfigured to allow ms^ite code to executs. thsr? 
loads the mcfeite o(sd& into menwy and executes it in 

35 6?4. As a tmM ol asisctjtir^ tbft ?nob<!S code, tns 
bfos^ser 210 saneratss a 8ra{>hicai 0i.-tpyf. step 
677, and raqy«^ a cono«ctiori. in 660, to jxnss tne 
oy^iit X-m&ssages to c!i^-!ta>' vor 232. 
Pi633 V^^sri tb« W§b tjrcswaef 210 fixiii«;t3 a Con- 
nectfon f fom the Si^ coiwpsf tfr:eni . TP i 3 accepts rhe 
j-KiU'-rSi, avaiuataa :i fa"s3 'Me-s so n:ak.;; a !X.nntr.:;!iof! to 
the -4:r5X'ie d:s^;:'iay t;efv<5f 23? sn sn^p 685. Thy :dantiiy 
arid iccistion ot the sano'U: diapi^;y sasK?! .?32 that tf;a 
uses- is v:S:ng :s pas5^!<i to TPI 2^ 2 a pafa^Detar m tha 
contigufation file, as -tiascdbod a.bov$ On soccasstuliy 
cons-sscting to the diss^iay r^efves 232; TPi 2 1 2 --sises the 
.Aiio-^nHcreao and .A!i.:>\v.'^-nsc>.vr!te privileges in steii 690 
fir-ci, .havina estafciift|-;«:d a oonn^clion, pisnips si>-; rne^- 
sag&s oetv^een tt?a aiid the Si caripiVirnei-is sn f.!ep 

■» -555 So ll^e diipi.Tiy servs; 232. Opi^ooiiiiy, s-i^m-i X-snes- 
ssge tiltehng Oif- e;s<o bf- paitCirh^tx; h?;;?: p;S:venS 
susptcioos X mes'sa-^ya. pok-ntiSs'iy g6nt=f.^tiK; oy t'-.f; 
JTK^si^ cede, hon ■ gelling th;.:w<^b 

Tha^-i TP! 212 iowefs .ho .s.ii.-^wn'iaosoad ana 

55 Allowrtiauvbte pdvjieges if' siap 697 and. iinsiiy. in si^^p 
693, tt!S dfsptsy s»33 vsr 232 receives tb« K-mes^ages 
arsi fgrsderstf^e X-wiodow appropriate/. 
[0071 3 The user a o? the internaS net'sork 220. who can 
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c-fily ccnoiK.! k; ^ha S- co:miii liT-i^ni. airmai bypass; the 
■jscrunSy 3Ci;n!r!;3i:ai:on by difS'tiy stastiog {ftetr smo 
Wsfc bfovv-s.?!- Tfii^ ij<K,si!S6 Web btowsers sSatted by 
!:~;t&; n:^; ussrs cmnoi qm> access to the TPO 2": 4, 3S a 
ifjuu of TPG :^14 a.-;c4:f;^r;g co^iriectior-s oniy tror^i Sits 
SM and <50 CDi-r^part-^-sef!??. Web brcM'sefS 2m stS'Jed 
by ;r^?sr!':3i uss^j 3 d:f ectiy can ths^.- s^ore ifit&aa ooiy w>th 
the i«fes-fiaf network 220. 

dssDibfK; ;'-;b:>vp do^iuin 0'":;v one s-pssoflc way oi myh- 
!•■:§ ^h^^ !>fes.8r!i ;.''y"?;:! !>r:. *hKh cortv'OPssntiy takes 

OthBi- QM'if-i cQ^riQb-^r-i op^fatifig sy-jtstn?,. 'juch <:;i 

8mbcsdir«ente ol the -we-nt^o:-; co-'Ai b& itrpferfsstritiv.! in 
any operatifig sysletr, by co'-sngis^^ng \hB <3pe?stif!-3 5;y3- 
iefR to pfovfde spprc^vsate functionality. Th^ p-'sssnt 
invsfsfcn L^-!Ou>d tn^r^foss be fead broadly to mx>tn- 
pass gfiy system that appsiss the general teachings that 
are hsrssn disciosed. 

(00?3| It Wii! PS sppssdatsd that fhs jovsj-stiO!-! is par- 
tiCijfeHy sultsd fe incrsssing sscu> ity in scenarios wfjem 
tfsnssctiona! c!»«nt«. are ^swo-ieaded as -vKsbsie code 
^or imeraolion wim ottter ci^eftts or servers )« a ciiersi- 
server snviros-HDent Such m mf!K)sTOs>nt cars be o«e 
tim &m^m s»tih ma CORBA (Commor) Ofejset 

(0O?4j 

[NCSCi Nationai Cotiptjis:? Sscursty C^m> 
"Dsfjsttnisnt of D^jisnciS Trusted Csm- 
piiter Sys-lem Svaiyaiiofi Cfilsria", DoD 
Sianciarci 5?00 2S-5TD, 

^J.P.L. WcDckarc, OOS-2&OC-6S^3-91. 

imi . 

IXWindowl: "X Wiiiaow SysSenv\ Scheii^^ir, RoLxift 
srKS JafPss Gaitys, Dfgitai Press, 1032 

(SCK)KS] "SOCKS Pfotocoi Version 6", i^. L&^. 

M Ga=;i5;. Y lea, etc., RFC im Msfch 
■1996 

GMVVmad^iss 280 Mss^ais; 

HP-UX Tfu^£iK! OS instailstion Umu'S 
HP-UX Tfuatfid OS Read !^te nrst<' i^aisass Motas 
HP-UX 10 09 01 GS^W machine SCO Trostad Facfii- 
tie&fi^aotjsl 

HP-UX 10.S§.01 OMW n>ac.r!ine 200 K«v Secor^y 
Concurs 

HP-UX 10.09.01 CMW fTiS^srse 200 Suppojt 



Media User's Gyid^ 

i-iP-iJX 10.0801 CMW imdiio& 200 Tfyskx^ Fscii- 
ily .Acfertif) Rai. yaoyai 

HP-UX 10,03,01 GMW machffse 200 teSis? 
.'i Adminsstratof's Guida 

HP-UX 10.09.01 CW r^achjfse 200 SeoyfHy Fea- 
Eums Use's Quide 

HP-UX 50.09.01 CSVtW r^achme 200 SacurHy Fea- 
iufe& ProgsBmmars G«de 

w 

1 . A bsowse" ty»k-n-!, co'fsDf kjing 

?5 a t^=o\v:><5f Ds-x"!?-:.'-:, cftnJiQiHvv:; io !«:i>:?ivf: a 

rncMaie code ami to pfocess tfie n>oO!le cods to 
gefjerate cfsphscal output data; ajxi 
an irfssae ioserrace pr^^ess coniigure^l to pfo^ 
S.> Vide a ccfTifnunscations cl-sanf?ei bst«?«ef} tt^s 

Otoswsaj process and s remoTa csispisy syaSen; 
to Saciiitats transJsr »{ She graphical ouipus dafe 
to rsftief s tS^iay sysiem; 

ss ± A brs^ssf- system according to csaim i , cort^rising 
an s^ratsVis system »tiicii ass!>dat«sprpc^«s or 
at^SK^ v«i!isrt ths e^ati«g srttfirofjmer^ of the 
«|3gtating ssfsS«m wi^ om of a nu«^t $ensiji\??t^ 
i^fe v*^sf«iri the kmm&f pws^ has a lirst sen- 
sitivity laJ^ and ciats associated >is^fh the rernote 
disp!^ system a saco}>d s«ns.'tMty isl)«f. 

3. A isrosss^ sj^tem acccKding to eimsf prscsditig 
ciaim. vi^er«if5 tTse gisids mtertaoe proeass has a 

35 ptlv^i^ Vifhis^ Mssfss it to teTsier da^ trom 

fcrows^ process to the rsrt>&te di^iay systenn. 

4. A J^ov>?$et s>'4ji!>fn at:o:i!d!f"tg to ci;5irt^ 3, wN-K^n ii-se 
inside intesljice s;s««5csss con^igu^sx."! to r^ssss the 

'•'s fifst priyitegs when data tssnsfer is requifsd and 
kmm thig f if^ prmS^a a!t«f cSata transfer is cons- 
plst^. 

5. .4 biov.'j^-; 4tyTU"-:s accoidinc; tc- ariy w-e d? ihi* pre 
4^ c&^-iing OtSifns, tuftbef cosT^pns^ins^ an outside inter- 
face p!0css>. wh.cn p;c.v;d«s a cx^m^m^r^cfi&:)ns 

msrsot-s dsTS ?.<5;.:fce to tac^it&te Uamiar otdata tsom 
m& fsav-ox?. <5ats -it-'usce to th% o-owsec pii>c»s.i. 

so 

I. A bfowsfti- systo^rs fitco^^iing -o cij-ins K, -A'^•>^;■•■■!n 
data asso<;i5;;iKi wittj ^tse ienxsi-j data sou^se ■■las; a 
::{h!tdaefssit?'4y label 

s.? 7, A SrowSftf ^ysitsfn accoKsiixs to ciaim 5 or dsim 6, 
vsherein tfi« outside intarfaoe process has a second 
pfiviiege «^5ich allows 8 to trarfsfer <im Jrom the 
rarvioie data sjsjrca to the browser process. 




a j-sj^uSiSt, ih& tm^ac. sntsmc* process, tro^^ tns 
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"^^^ I^AKSlf CON n \ s j' "^N""rfLE| 
I ADOPT CHORD 'S y LABELJ 

^>^o^ CHSusisL pkivilegeI 

jSPAWM CHILD PROCESS [ 

[REVERT TO ORIGINAL SENSOWrTY iABELl 
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I CLIENT SUBMITS RBQlisf| 



|ri>i RECBIVES EEQOESlt 



■'f^ It Pi RAISES ALIJOWMACWRI^ 



m l lUNSFERS REQUEST 
TO BROWSER 



620 frPI LOWERS ALLQWMACWRg 
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WEB SERVER CONT^ECHON 



TPO RECEIVES 
CONNHCnON REQUEST 



TPOR..\ISES 
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640 IPC) FORWARDS REQUEST 
TO WES SERVER 



645 [iFO EOWERS ALl (^^WMaCKEAI 



WEB SERVER 
PROCESSES REQUEST 



TPO RECEIVES 
HTTP STREAM 
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660 TPO RAISES ALLOWMACWRITS 



I PO PASSES HTTP STREAM 
TO BROWSER 



66? trpo LOWERS AitdmiAcwRirii 
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BROWSER iNll^RPRETS 
HTTP STREAM 









874 BROWSER RL?NS MOBILE CODE 



BROWSER GENERATES 



680 pROWSER OPENS CONNECTION TO TPi 



6SS TH CONNECTS TO DISPLAY SERVER 
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TPI PUMPS (3R<-\PBICAL 0L= TPUT 
TO DISPLAY SERVER 
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